VB.Net SQL插入使用Windows窗体数据
[英]VB.Net SQL Insert into Using Windows Forms Data
问题描述
Alright, I have picked up everything I know for VB.Net from trial and error. 
好了,我已经从试验和错误中了解了VB.Net的所有知识。 I have built an SQL string that works in Access and tried to implement it, however it doesn't seem to work in my program. 我建立了一个在Access中可用的SQL字符串并尝试实现它,但是它似乎在我的程序中不起作用。 I totally accept that I don't have a firm grasp on it, so what am I doing wrong? 我完全接受我对此没有把握,所以我做错了什么? This particular form just needs to take the text from textboxes in a Windows form and insert them into a database. 这种特殊形式只需要从Windows形式的文本框中获取文本并将其插入数据库中即可。
Dim insertSql As String = "INSERT INTO StudentTable VALUES ('" + BadgeNoTextBox.Text + "','" + FirstNameTextBox.Text + "','" + LastNameTextBox.Text + "','" + SAPSIDTextBox.Text + "','" + EmailTextBox.Text + "'.'" + PhoneTextBox.Text + "','" + CollegeComboBox.Text + "')"
conn.ConnectionString = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=""C:\Users\larsennicholasg\Documents\Visual Studio 2012\Projects\SSCLogin\SSCLogin\My Project\SSCStudent.mdb"""
Dim da As New OleDbDataAdapter(insertSql, conn)
If (da.Update(ds)) Then
MessageBox.Show("Success")
Else
MessageBox.Show("Fail")
End If
Any ideas? 有任何想法吗?
1 个解决方案
解决方案1
3 已采纳 2015-08-23 23:46:21
Try this: 尝试这个:
Dim insertSql As String = "INSERT INTO StudentTable VALUES (?, ?, ?, ?, ?, ?, ?)"
Dim connStr As String = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=""C:\Users\larsennicholasg\Documents\Visual Studio 2012\Projects\SSCLogin\SSCLogin\My Project\SSCStudent.mdb"""
Using conn As New OleDbConnection(connStr), _
cmd As New OleDbCommand(insertSql, conn)
''# I had to guess at types and lengths here.
''# Adjust this to use actual types and lengths in your database
cmd.Parameters.Add("?", OleDbType.Integer).Value = CInt(BadgeNoTextBox.Text)
cmd.Parameters.Add("?", OleDbType.VarWChar, 20).Value = FirstNameTextBox.Text
cmd.Parameters.Add("?", OleDbType.VarWChar, 20).Value = LastNameTextBox.Text
cmd.Parameters.Add("?", OleDbType.Integer).Value = CInt(SAPSIDTextBox.Text)
cmd.Parameters.Add("?", OleDbType.VarWChar, 50).Value = EmailTextBox.Text
cmd.Parameters.Add("?", OleDbType.VarChar, 20).Value = PhoneTextBox.Text
cmd.Parameters.Add("?", OleDbType.VarWChar, 35).Value = CollegeComboBox.Text
conn.Open()
cmd.ExecuteNonQuery()
End Using
The use of query parameters rather than string substitution is important. 使用查询参数而不是字符串替换很重要。 What you had was crazy-vulnerable to sql injection attacks. 您所拥有的东西很容易受到sql注入攻击的攻击。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.