堆栈内存溢出
  简体   繁体   English

关于SQL语句的语法,我错过了什么?

[英]What have I missed out with regards to the syntax of the SQL statement?

 原文  2019-02-01 13:37:41       sql/ vb.net/ insert/ syntax-error

问题描述

I am writing code to insert a username and password into a database called Users. 我正在编写代码以将用户名和密码插入到名为Users的数据库中。

When I try to run the code it says there is an error in the INSERT statement's syntax but I cannot for the life of me find it. 当我尝试运行代码时,它说INSERT语句的语法有错误,但我终生无法找到它。

I am running the SQL statement using another function called RunSQL that I can submit if need be but its worked fine with every other SQL statement I have run with it. 我正在使用另一个名为RunSQL的函数运行SQL语句,该函数可以在需要时提交,但它与我运行过的所有其他SQL语句都可以正常工作。

The Users table has the following columns with their data type User_ID - Auto Number (Primary Key) Username - Short Text Password - Short Text “用户”表具有其数据类型为以下几列的用户名-自动编号(主键)用户名-短文本密码-短文本

I have tried adding ' ' around the values I am going to insert into the table as well as removing the & and making it one continuous string. 我尝试在要插入表中的值周围添加'',并删除&并将其设置为一个连续的字符串。 I have tried adding / removing the ; 我试图添加/删除; but nothing has worked. 但没有任何效果。 

Dim sql As String = "INSERT INTO Users (Username, Password) " &           
"VALUES (" & username_Textbox.Text & " , " & password_Textbox.Text & ");"
RunSQL(sql)
MessageBox.Show("User Added")

Private Sub RunSQL(ByVal sql As String)
    Dim conn As OleDbConnection = New 
    OleDbConnection("Provider=Microsoft.ACE.OLEDB.12.0;Data Source=Paper_Gen_Database.accdb;")
    conn.Open()
    Dim cmd As New OleDbCommand(sql, conn)
    cmd.ExecuteNonQuery()
    System.Threading.Thread.Sleep(500)
End Sub

The code should take the values from the username and password textboxes and insert them into the Users table but so far it has only thrown back an SQL error. 该代码应从用户名和密码文本框中获取值,并将其插入到Users表中,但到目前为止,它仅抛出SQL错误。

This is what the SQL statement looks when with "bh106" being the Username and "ZLTga" being the Password 这是SQL语句的外观,其中“ bh106”为用户名,“ ZLTga”为密码

2 个解决方案

解决方案1
 1 已采纳  2019-02-02 04:40:47

This is one way to use parameters. 这是使用参数的一种方法。 It is very important to use parameters because otherwise you risk SQL injection which can ruin your database. 使用参数非常重要,因为否则会冒着SQL注入的风险,这可能会破坏数据库。 It is actually much easier to write the SQL statement this way because you don't have to worry about if you have all your quotes in the string correctly. 用这种方式编写SQL语句实际上要容易得多,因为您不必担心字符串中的所有引号是否正确。

The Using...End Using blocks ensure that your database objects are closed and disposed even if there is an error. Using...End Using块可确保即使发生错误也可以关闭和处置数据库对象。 This is important because it releases any unmanaged resources being used. 这很重要,因为它会释放所有正在使用的非托管资源。

In a real application you would never save passwords as plain text but that is a subject for another day. 在真实的应用程序中,您永远不会将密码另存为纯文本,但这是另一天的主题。 

Private Sub InsertUser()
    Dim sql As String = "INSERT INTO Users (Username, [Password]) VALUES (@username, @password);"
    Using conn As OleDbConnection = New OleDbConnection("Provider=Microsoft.ACE.OLEDB.12.0;Data Source=Paper_Gen_Database.accdb;")
        Using cmd As New OleDbCommand(sql, conn)
            cmd.Parameters.Add("@username", OleDbType.VarChar).Value = username_Textbox.Text
            cmd.Parameters.Add("@password", OleDbType.VarChar).Value = password_Textbox.Text
            conn.Open()
            cmd.ExecuteNonQuery()
        End Using
    End Using
    MessageBox.Show("User Added")
End Sub

In Access the order that the parameters are added must match the order that they appear in the SQL statement. 在Access中,添加参数的顺序必须与它们在SQL语句中出现的顺序匹配。

解决方案2
 0  2019-02-01 13:50:51

Try this (its probably because of lack of quotes, and also because password is protected word): 尝试以下操作(它可能是因为缺少引号,也因为密码是受保护的单词): 

Dim sql As String = "INSERT INTO Users (Username, [Password]) " &           
"VALUES ('" & username_Textbox.Text & "' , '" & password_Textbox.Text & "');"
RunSQL(sql)
MessageBox.Show("User Added")

Also be aware of sql injection problem. 还应注意sql注入问题。 If a user will put a quote inside a textbox, insert will still fail. 如果用户将引号放在文本框中,则插入仍将失败。

You should try converting your code into parametrized query, example: 您应该尝试将代码转换为参数化查询,例如:

https://docs.microsoft.com/pl-pl/dotnet/api/system.data.oledb.oledbcommand.parameters?view=netframework-4.7.2 https://docs.microsoft.com/pl-pl/dotnet/api/system.data.oledb.oledbcommand.parameters?view=netframework-4.7.2

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用IIF语句在查询中两次使用求和字段-我是否错过了某些语法? - Using summed field in query twice with IIF statement - have I missed some syntax somewhere? 复制SQL语句的语法是什么? - What is the syntax for duplicating a SQL statement? 我用来创建表的此SQL语句的语法有什么问题? - What is wrong with the syntax of this SQL statement I am using to create a table? 此 SQL 语句的正确 SQL 语法是什么 - What is the correct SQL syntax for this SQL statement PHP中正确的sql语句语法是什么? - what is correct sql statement syntax in PHP? 关于Oracle SQL的报告多维数据集是什么? - What are reporting cubes in regards to Oracle SQL? 就SQL而言,使用XML有什么优势? - What is the advantage of using XML with regards to SQL? 我的SQL陈述式有问题 - I have an issue with SQL statement 我剖析了一条SQL语句,但找不到“ parse_activity”语句的作用 - I am dissecting a SQL statement and cannot find out what the “parse_activity” statement does 错误:您的 SQL 语法有错误 - 但 SQL 语句有效 - Error: You have an error in your SQL syntax - but SQL statement works
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM