stackoom
  简体   繁体   中英

Getting SQL Server database entries to update? VB.NET

 原文  2015-06-16 14:36:44       sql/ sql-server/ vb.net

Question

I am having trouble getting my SQL Server database to update. I think there's something wrong with the syntax but I'm unsure.

I tried writing it even in SQL Server itself and I still see a "syntax" error but I don't get what's wrong with the syntax! It works every other time I put basically the same code and nothing has changed! ... has it? LOL 

Private Sub Button8_Click(sender As System.Object, e As System.EventArgs) Handles Button8.Click
    'update salesperson button
    Dim myconnection As New SqlConnection("server=classified;database=classified")
    myconnection.Open()
    Dim mycommand As SqlCommand
    Dim theQuery As String = "SELECT * FROM Salespeople WHERE [First Name]=@FirstName AND [Last Name]=@LastName AND [Home Address]=@HomeAddress AND City=@City AND State=@State AND [Phone Number]=@PhoneNumber"
    Dim repeatChecker As SqlCommand = New SqlCommand(theQuery, myconnection)
    'mycommand.ExecuteNonQuery()
    If TextBox6.Text = "" Then
        MsgBox("You must add a first name.", MsgBoxStyle.Exclamation)
    ElseIf TextBox7.Text = "" Then
        MsgBox("You must add a last name.", MsgBoxStyle.Exclamation)
    ElseIf TextBox8.Text = "" Then
        MsgBox("You must add a home address.", MsgBoxStyle.Exclamation)
    ElseIf TextBox9.Text = "" Then
        MsgBox("You must add a city.", MsgBoxStyle.Exclamation)
    ElseIf TextBox10.Text.Length <> 2 Then
        MsgBox("State abbreviation needed.", MsgBoxStyle.Exclamation)
    ElseIf TextBox11.Text = "" Or TextBox12.Text = "" Or TextBox13.Text = "" Then
        MsgBox("Please ensure you have entered a valid telephone number: (XXX) (XXX) (XXXX).", MsgBoxStyle.Exclamation)
    ElseIf Firs.IsInputNumeric(TextBox11.Text) = False Or Firs.IsInputNumeric(TextBox12.Text) = False Or Firs.IsInputNumeric(TextBox13.Text) = False Then
        MsgBox("Please ensure you have entered a valid telephone number: (XXX) (XXX) (XXXX).", MsgBoxStyle.Exclamation)
    ElseIf TextBox11.Text.Length <> 3 Or TextBox12.Text.Length <> 3 Or TextBox13.Text.Length <> 4 Then
        MsgBox("Please ensure you have entered a valid telephone number: (XXX) (XXX) (XXXX).", MsgBoxStyle.Exclamation)
    Else
        repeatChecker.Parameters.Add("@FirstName", SqlDbType.VarChar).Value = Globalization.CultureInfo.CurrentCulture.TextInfo.ToTitleCase(TextBox6.Text)
        repeatChecker.Parameters.Add("@LastName", SqlDbType.VarChar).Value = Globalization.CultureInfo.CurrentCulture.TextInfo.ToTitleCase(TextBox7.Text)
        repeatChecker.Parameters.Add("@HomeAddress", SqlDbType.VarChar).Value = Globalization.CultureInfo.CurrentCulture.TextInfo.ToTitleCase(TextBox8.Text)
        repeatChecker.Parameters.Add("@City", SqlDbType.VarChar).Value = Globalization.CultureInfo.CurrentCulture.TextInfo.ToTitleCase(TextBox9.Text)
        repeatChecker.Parameters.Add("@State", SqlDbType.VarChar).Value = TextBox10.Text.ToUpper
        repeatChecker.Parameters.Add("@PhoneNumber", SqlDbType.VarChar).Value = TextBox11.Text + "-" + TextBox12.Text + "-" + TextBox13.Text
        Using reader As SqlDataReader = repeatChecker.ExecuteReader()
            If reader.HasRows Then
                ' User already exists
                MsgBox("This salesperson already exists in the database.", MsgBoxStyle.Exclamation)
            Else
                reader.Close()
                mycommand = New SqlCommand("UPDATE Salespeople SET [First Name]='" + Globalization.CultureInfo.CurrentCulture.TextInfo.ToTitleCase(TextBox6.Text) + "', [Last Name]='" + Globalization.CultureInfo.CurrentCulture.TextInfo.ToTitleCase(TextBox7.Text) + "', [Home Address]='" + Globalization.CultureInfo.CurrentCulture.TextInfo.ToTitleCase(TextBox8.Text) + "', City='" + Globalization.CultureInfo.CurrentCulture.TextInfo.ToTitleCase(TextBox9.Text) + "', State='" + TextBox10.Text.ToUpper + "', [Phone Number]='" + TextBox11.Text + "-" + TextBox12.Text + "-" + TextBox13.Text + "' WHERE [First Name]=@FirstName, [Last Name]=@LastName, [Home Address]=@HomeAddress, City=@City, State=@State, [Phone Number]=@PhoneNumber)", myconnection)
                mycommand.ExecuteNonQuery()
                BindGridSalespeople()
                TabControl1.SelectTab(0)

                Dim FirstNameDisplay As String = Globalization.CultureInfo.CurrentCulture.TextInfo.ToTitleCase(TextBox1.Text)
                Dim LastNameDisplay As String = Globalization.CultureInfo.CurrentCulture.TextInfo.ToTitleCase(TextBox2.Text)
                MsgBox("Salesperson " + FirstNameDisplay + " " + LastNameDisplay + " successfully added.")
            End If
        End Using
        myconnection.Close()

    End If
End Sub

Specifically, this line near the bottom: 

mycommand = New SqlCommand("UPDATE Salespeople SET [First Name]='" + Globalization.CultureInfo.CurrentCulture.TextInfo.ToTitleCase(TextBox6.Text) + "', [Last Name]='" + Globalization.CultureInfo.CurrentCulture.TextInfo.ToTitleCase(TextBox7.Text) + "', [Home Address]='" + Globalization.CultureInfo.CurrentCulture.TextInfo.ToTitleCase(TextBox8.Text) + "', City='" + Globalization.CultureInfo.CurrentCulture.TextInfo.ToTitleCase(TextBox9.Text) + "', State='" + TextBox10.Text.ToUpper + "', [Phone Number]='" + TextBox11.Text + "-" + TextBox12.Text + "-" + TextBox13.Text + "' WHERE [First Name]=@FirstName, [Last Name]=@LastName, [Home Address]=@HomeAddress, City=@City, State=@State, [Phone Number]=@PhoneNumber)", myconnection)

IS MY LOGIN FORM CORRECT AND FREE OF SQL ATTACKS BY INJECTION? 

 Private Sub Button1_Click(sender As System.Object, e As System.EventArgs) Handles Button1.Click Dim myconnection As New SqlConnection("server=CLASSIFIED;database=classified") myconnection.Open() Dim loginQuery As String = " SELECT Username, Password FROM Accounts WHERE (Username = @Username) AND (Password = @Password)" Dim loginCommand As SqlCommand = New SqlCommand(loginQuery, myconnection) loginCommand.Parameters.Add("@Username", SqlDbType.VarChar).Value = TextBox1.Text loginCommand.Parameters.Add("@Password", SqlDbType.VarChar).Value = TextBox2.Text Using reader As SqlDataReader = loginCommand.ExecuteReader() If reader.HasRows Then ' User already exists MsgBox("Logged in successfully as " & TextBox1.Text, MsgBoxStyle.Information) Firs.Show() Else MsgBox("Invalid username or password.", MsgBoxStyle.Critical) End If End Using myconnection.Close() End Sub

1 answers

solution1
 0  2015-06-16 15:53:12

Besides structural changes recommeded by the comments, there are issues with your WHERE clause. 1: Remove the parenthesis after the PhoneNumber parameter. 2: Different Where clauses should be separated by "AND " instead of commas. 

"' WHERE [First Name]=@FirstName, [Last Name]=@LastName, [Home Address]=@HomeAddress, City=@City, State=@State, [Phone Number]=@PhoneNumber)", myconnection)

Becomes: 

"' WHERE [First Name]=@FirstName AND [Last Name]=@LastName AND [Home Address]=@HomeAddress AND City=@City AND State=@State AND [Phone Number]=@PhoneNumber", myconnection)

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Cannot update SQL Server with VB.net VB.Net Update Item Quantity Values getting concatenated instead of getting added in the previuos value in SQL Server Updating VB.Net Database With SQL Update Statement SQL UPDATE From Other Database Sources In VB.NET vb.net getting value from a new name sql database Inserting Data in sql database vb.net is not getting stored Error with VB.NET/SQL Server Update Statement Cant't Update SQL Server Table in VB.NET Insert date into SQL Server database via TableAdapter vb.net SQL Server 2012 Express / VB.NET Database Application Issue
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM