[英]Issues with the insert function to my database program
大家好! 我的程序插入出现了小问题。 看到,代码没有错误,但是尝试插入时出现OleDb异常。 我项目的其他部分工作正常,但这里似乎有一个小问题,我似乎找不到
public void Insert()
{
//myDb = new OleDbConnection(conn + dbFile);
myDb.Open();
OleDbDataAdapter adapter = new OleDbDataAdapter("SELECT * FROM Employee", myDb);
//
OleDbCommand cmd = new OleDbCommand("INSERT INTO Employee(Username, Password, email, phone) VALUES ('" + insUn + "','" + insPass + "','" + insNm + "','" + insNmr + "')", myDb);
adapter.InsertCommand = cmd;
adapter.InsertCommand.ExecuteNonQuery();
DataSet ds = new DataSet();
adapter.Fill(ds, "Employee");
dataGridView1.DataSource = ds;
dataGridView1.DataMember = "Employee";
myDb.Close();
}
其他功能,例如搜索和删除工作,但我在这里找不到问题
这些是例外:
try
{
if (textBox2.Text != "")
{
insUn = textBox2.Text;
insNmr = textBox4.Text;
insPass = textBox3.Text;
insNm = textBox5.Text;
}
Insert();
}
catch (OleDbException ex)
{
MessageBox.Show("Error, please try again", "Exception", MessageBoxButtons.RetryCancel, MessageBoxIcon.Error);
}
catch (FormatException ex)
{
MessageBox.Show("One or more fields have not been entered. Please check and re-enter", "Missing fields", MessageBoxButtons.OK, MessageBoxIcon.Hand);
}
enter code here
我建议您使用Parameter
以避免SQL注入,并在[Password]
查询中放入方括号[]
,因为它是如下所示的关键字:
public void Insert()
{
//myDb = new OleDbConnection(conn + dbFile);
myDb.Open();
OleDbCommand cmd = new OleDbCommand("INSERT INTO Employee(Username, [Password], email, phone) VALUES (@Username, @Password, @email, @phone)", myDb);
cmd.Parameters.AddWithValue("@Username", insUn);
cmd.Parameters.AddWithValue("@Password", insPass);
cmd.Parameters.AddWithValue("@email", insNm);
cmd.Parameters.AddWithValue("@phone", insNmr);
cmd.ExecuteNonQuery();
OleDbDataAdapter adapter = new OleDbDataAdapter("SELECT * FROM Employee", myDb);
DataSet ds = new DataSet();
adapter.Fill(ds, "Employee");
dataGridView1.DataSource = ds;
dataGridView1.DataMember = "Employee";
myDb.Close();
}
Abdellah的答案会起作用,但是在构建查询字符串时要注意SQL注入攻击。 您应该这样构建它:
OleDbCommand cmd = new OleDbCommand("INSERT INTO Employee(Username, Password, email, phone) VALUES (@p1, @p2, @p3, @p4)", myDb);
int maxSize = 50;
cmd.Paramters.Add("@p1", SqlDbType.VarChar, maxSize).Value = insUn;
cmd.Parameters.Add("@p2", SqlDbType.VarChar, maxSize).Value = insPass;
cmd.Parameters.Add("@p3", SqlDbType.VarChar, maxSize).Value = insNm;
cmd.Parameters.Add("@p4", SqlDbType.VarChar, maxSize).Value = insNmr;
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.