[英]“Data type mismatch in criteria expression” when trying to delete row from database
OleDbCommand system = new OleDbCommand();
system.CommandType = CommandType.Text;
system.CommandText = "DELETE FROM Student WHERE(ID= '" +
txtStudentIDnumber.Text + "')";
system.Connection = mydatabase;
mydatabase.Open();
system.ExecuteNonQuery();
dataGridView1.Update();
this.tableAdapterManager.UpdateAll(csharrpfinalprojectDataSet);
mydatabase.Close();
MessageBox.Show("Student Record Deleted.", "deleting record...");
In your command text you need to remove single quotes (')
around the txtStudentIDnumber.Text
as it appears ID is of type integer and you are passing it as string. 在命令文本中,您需要删除
txtStudentIDnumber.Text
周围的单引号(')
。当txtStudentIDnumber.Text
显示为ID时,ID的类型为integer,您将其作为字符串传递。 Following should fix the error. 以下应解决该错误。
system.CommandText = "DELETE FROM Student WHERE(ID= " + txtStudentIDnumber.Text + ")";
EDIT: With respect to @mdb comments, you should always use Parameters in your query so that you can avoid SQL Injection . 编辑:关于@mdb注释,您应该始终在查询中使用参数 ,以便可以避免SQL Injection 。 Consider the following:
考虑以下:
OleDbCommand system = new OleDbCommand();
system.CommandType = CommandType.Text;
system.CommandText = "DELETE FROM Student WHERE ID = ?";
OleDbParameter parameter = new OleDbParameter("ID", txtStudentIDnumber.Text);
system.Parameters.Add(parameter);
system.Connection = mydatabase;
mydatabase.Open();
system.ExecuteNonQuery();
dataGridView1.Update();
OleDbCommand system = new OleDbCommand();
system.CommandType = CommandType.Text;
system.CommandText = "DELETE FROM Student WHERE ID=@ID";
system.Parameters.AddWithValue("@ID", txtStudentIDnumber.Text);
system.Connection = mydatabase;
mydatabase.Open();
system.ExecuteNonQuery();
dataGridView1.Update();
this.tableAdapterManager.UpdateAll(csharrpfinalprojectDataSet);
mydatabase.Close();
MessageBox.Show("Student Record Deleted.", "deleting record...");
What will happen when user input for txtStudentIDNumber
is, 当用户输入
txtStudentIDNumber
时会发生什么,
1 or 1=1
In that case hardcoded SQL string will be, 在这种情况下,将使用硬编码的SQL字符串,
DELETE FROM Student WHERE(ID=1 or 1=1)
So prefer parameterized sql statement instead of hard-coded string. 因此,建议使用参数化的 sql语句,而不要使用硬编码的字符串。
using(OleDbConnection cn=new OleDbConnection(cnStr))
{
using(OleDbCommand cmd=new OleDbCommand())
{
cmd.CommandText="DELETE FROM Student WHERE ID=@ID";
cmd.Connection=cn;
cmd.Parameters.Add("@ID",SqlDbType.Int).Value=txtStudentIDnumber.Text;
cn.Open();
cmd.ExecuteNonQuery();
cn.Close();
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.