VB.NET SqlException未处理
[英]VB.NET SqlException Was Unhandled
问题描述
I am trying some SQL code but I get an error when I try this code. 
我正在尝试一些SQL代码,但是在尝试该代码时出现错误。
Main.database.ExecuteCommand("UPDATE Contacts SET first_name='" + c.first_name + _
"', middle='" + c.middle + _
"', last_name='" + c.last_name + _
"', age='" + c.age + _
"', mobile_phone='" + c.mobile_phone + _
"', home_phone='" + c.home_phone + _
"', work_phone='" + c.work_phone + _
"', home_street='" + c.home_street + _
"', home_city='" + c.home_city + _
"', home_state='" + c.home_state + _
"', home_zip='" + c.home_zip + _
"', work_street='" + c.work_street + _
"', work_city='" + c.work_city + _
"', work_state='" + c.work_state + _
"', work_zip='" + c.work_zip + _
"', home_www='" + c.home_www + _
"', work_www='" + c.work_www + _
"', home_email='" + c.home_email + _
"', work_email='" + c.work_email + _
"' WHERE first_name='" + c.first_name + _
"' AND last_name='" + c.last_name + "'")
I get the following error 我收到以下错误
Sql Exception was unhandled
The data types text and varchar are incompatible in the equal to operator.
I tried the code revision using parameters 我尝试使用参数修改代码
Using conn As New SqlConnection(), _
myCommand As New SqlCommand("UPDATE Contacts SET" + _
"first_name=@first_name" + _
"AND middle=@middle" + _
"AND last_name=@last_name" + _
"AND age=@age" + _
"AND mobile_phone=@mobile_phone" + _
"AND home_phone=@home_phone" + _
"AND work_phone=@work_phone" + _
"AND home_street=@home_street" + _
"AND home_city=@home_city" + _
"AND home_state=@home_state" + _
"AND home_zip=@home_zip" + _
"AND work_street=@work_street" + _
"AND work_city=@work_city" + _
"AND work_state=@work_state" + _
"AND work_zip=@work_zip" + _
"AND home_www=@home_www" + _
"AND work_www=@work_www" + _
"AND home_email=@home_email" + _
"AND work_email=@work_email" + _
"WHERE first_name=@first_name" + _
"AND last_name=@last_name", conn)
myCommand.Parameters.Add(New SqlParameter("@first_name", c.first_name))
myCommand.Parameters.Add(New SqlParameter("@middle", c.middle))
myCommand.Parameters.Add(New SqlParameter("@last_name", c.last_name))
myCommand.Parameters.Add(New SqlParameter("@age", c.age))
myCommand.Parameters.Add(New SqlParameter("@mobile_phone", c.mobile_phone))
myCommand.Parameters.Add(New SqlParameter("@home_phone", c.home_phone))
myCommand.Parameters.Add(New SqlParameter("@work_phone", c.work_phone))
myCommand.Parameters.Add(New SqlParameter("@home_street", c.home_street))
myCommand.Parameters.Add(New SqlParameter("@home_city", c.home_city))
myCommand.Parameters.Add(New SqlParameter("@home_state", c.home_state))
myCommand.Parameters.Add(New SqlParameter("@home_zip", c.home_zip))
myCommand.Parameters.Add(New SqlParameter("@work_street", c.work_street))
myCommand.Parameters.Add(New SqlParameter("@work_city", c.work_city))
myCommand.Parameters.Add(New SqlParameter("@work_state", c.work_state))
myCommand.Parameters.Add(New SqlParameter("@work_zip", c.work_zip))
myCommand.Parameters.Add(New SqlParameter("@home_www", c.home_www))
myCommand.Parameters.Add(New SqlParameter("@work_www", c.work_www))
myCommand.Parameters.Add(New SqlParameter("@home_email", c.home_email))
myCommand.Parameters.Add(New SqlParameter("@work_email", c.work_email))
conn.Open()
myCommand.ExecuteNonQuery()
conn.Close()
End Using
But I am still having a problem initializing the connection with this error 但是我仍然无法初始化带有此错误的连接
The ConnectionString property has not been initialized.
3 个解决方案
解决方案1
4 已采纳 2010-05-07 20:38:20
Eeek! eek!
Get rid of that dynamic SQL! 摆脱动态SQL! It's completely unsafe. 这是完全不安全的。 Use parameterized queries instead! 请改用参数化查询 ! Here's a little example: 这是一个小例子:
Using conn As New SqlConnection(), _
cmd As New SqlCommand("UPDATE Contacts SET first_name = @firstName", conn)
conn.Open()
cmd.Parameters.Add(new SqlParameter("firstName", c.first_name))
cmd.ExecuteNonQuery()
End Using
解决方案2
2 2010-05-07 20:42:01
As I alluded to in my comment, that code is completely unacceptable. 正如我在评论中提到的那样,该代码是完全不能接受的。 Seriously, stop whatever you're doing right now and forget about this exception until you understand what sql injection is, why your code is vulnerable, and how to correctly use query parameters to protect it. 认真地,停止您现在正在做的任何事情,并忽略此异常,直到您了解什么是sql注入,为什么您的代码容易受到攻击以及如何正确使用查询参数来保护它。
I mean it. 我是认真的。
After you've done that and re-coded this to use parameterized queries, go back and modify your table in sql server so that your first_name, last_name, and most other text fields use the nvarchar data type instead. 之后你这样做,并重新编码该使用参数化查询,回去修改表中的SQL服务器,这样你的名字,姓氏,和大多数其他文本字段使用nvarchar数据类型来代替。
The text datatype in sql server means external text, in that that the row itself only stores a pointer to the actual text. sql server中的text数据类型表示外部文本,因为该行本身仅存储指向实际文本的指针。 The text itself is kept in a completely different place. 文本本身保存在完全不同的位置。 This is done to get around the 8192 byte size limit of rows in sql server, and it means that you can't modify or compare against fields of type text. 这样做是为了避开sql服务器中8192字节大小的限制,这意味着您无法修改或与text类型的字段进行比较。 You can only retrieve or replace the data in those fields. 您只能检索或替换这些字段中的数据。 The "text" type is only intended for large (>1K) text fields. “文本”类型仅适用于大(> 1K)文本字段。
解决方案3
0 2010-05-07 20:56:15
All of the above, parameterization is manditory, I found this to be a wonderful how-to http://www.sqlservercentral.com/articles/.Net/workingwithsqlparameterinnet/2311/ 以上所有参数设置都是强制性的,我发现这是一个很棒的方法http://www.sqlservercentral.com/articles/.Net/workingwithsqlparameterinnet/2311/
One of my tricks is to dump the string and try it in a query window. 我的技巧之一是转储字符串并在查询窗口中尝试。 The SQL Server interface will point to the offending code directly. SQL Server接口将直接指向有问题的代码。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.