我无法使用Visual Studio 2010 Express在SQL Server 2008 R2 Management Studio的表中插入项目

Question

Here is the problem

cmd.ExectureNonQuery()

Error:

Column name or number of supplied values does not match table definition.

Here is my code for the add button

Dim con As New SqlClient.SqlConnection("Server=.\SQLExpress;AttachDBFilename=C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\DATA\Finals.mdf;Database=Finals;Trusted_Connection=Yes;")
Dim cmd As New SqlClient.SqlCommand

cmd.Connection = con
cmd.CommandText = "Insert Into [Finals].[dbo].[Nokia] Values ('" & Unit.Text & "'),('" & Price.Text & " '),('" & Stack.Text & "'),('" & Processor.Text & "'),('" & Size.Text & "'),('" & RAM.Text & "'),('" & Internal.Text & "'),('" & ComboBox1.Text & "')"

con.Open()
cmd.ExecuteNonQuery()
con.Close()

I'm using SQL Server 2008 R2 and it errors when I press add can anyone find me a solution and can anyone also help me how to create a delete query also?

Thanks in advance.

Answer 1

Try this:

Dim con As New SqlClient.SqlConnection("Server=.\SQLExpress;AttachDBFilename=C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\DATA\Finals.mdf;Database=Finals;Trusted_Connection=Yes;")
Dim cmd As New SqlClient.SqlCommand

cmd.Connection = con
    ' the following text is wrapped for readability
    cmd.CommandText = "Insert Into [Finals].[dbo].[Nokia] Values ('" & Unit.Text & _
        "', '" & Price.Text & "', '" & Stack.Text & "', '" & Processor.Text & "', '" & _
        Size.Text & "', '" & RAM.Text & "', '" & Internal.Text & "', '" & _
        ComboBox1.Text & "')"
    con.Open()
    cmd.ExecuteNonQuery()
    con.Close()
}

You don't need to encapsulate each value in ( and ) ; the entire value list is encapsulated in a single set of brackets, as in my code.

On another note, performing string concatenation like this creates a SQL Injection vulnerability; you should be using sqlParameter objects to pass the values into the statement.