sql update命令的vb.net問題

Question

我正在尋找一些幫助，以弄清為什么我在vb.net中的更新命令上看到SQL錯誤，並指出我的SQL經驗非常有限。

我正在構建一個配置文件系統，該配置文件系統將在我們公司的其他多個工具中使用，作為配置文件系統的一部分，頁面加載時將根據我們的LDAP目錄查詢用戶信息，並且將數據存儲在頁面上的標簽。

然后，用戶可以選擇創建一個新的配置文件（如果不存在）或更新現有的配置文件（如果已經存在）。 該代碼基於使用用戶員工ID對表的查詢來確定適當的操作。

我的插入命令可以正常運行，但更新不起作用，以下是我當前的代碼和錯誤。

這是用於創建新條目的插入語句，可以正常工作。

    Protected Sub btnInsert_Click(sender As Object, e As EventArgs) Handles btnInsert.Click
    Try
        Dim con As New SqlConnection
        Dim cmd As New SqlCommand

        con.ConnectionString = "Data Source="server" Catalog=usertable;Integrated Security=True"

        con.Open()
        cmd.Connection = con

        cmd.CommandText = "INSERT INTO Profile (FirstName, LastName, Email, Telephone, EmployeeID, NTLogin) VALUES ('" & lblFirstName.Text & "','" & lblLastName.Text & "','" & lblEmail.Text & "','" & lblPhone.Text & "','" & lblEID.Text & "','" & lblNT.Text & "')"

        cmd.ExecuteNonQuery()
        btnInsert.Enabled = False
        lblValid.Text = "Record Inserted Successfully"
        con.Close()
    Catch ex As System.Exception
        lblValid.Text = (ex.Message)

    End Try

以下是給出錯誤的更新代碼：

Protected Sub btnUpdate_Click(sender As Object, e As EventArgs) Handles btnUpdate.Click
    Try
        Dim con As New SqlConnection
        Dim cmd As New SqlCommand

        con.ConnectionString = "server;Initial Catalog=usertable;Integrated Security=True"
        con.Open()
        cmd.Connection = con

        cmd.CommandText = "UPDATE Profile (FirstName, LastName, Email, Telephone, EmployeeID, NTLogin) VALUES ('" & lblFirstName.Text & "','" & lblLastName.Text & "','" & lblEmail.Text & "','" & lblPhone.Text & "','" & lblEID.Text & "','" & lblNT.Text & "') Where [EmployeeID] = '" & lblEID.text & "'"

        cmd.ExecuteNonQuery()
        btnUpdate.Enabled = False
        lblValid.Text = "Record Updated Successfully"
        con.Close()
    Catch ex As System.Exception
        lblValid.Text = (ex.Message)
    End Try
End Sub

返回的異常錯誤是

    [SqlException (0x80131904): Incorrect syntax near '('.]
   System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction) +392
   System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose) +815
   System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady) +4515
   System.Data.SqlClient.SqlCommand.RunExecuteNonQueryTds(String methodName, Boolean async, Int32 timeout, Boolean asyncWrite) +1390
   System.Data.SqlClient.SqlCommand.InternalExecuteNonQuery(TaskCompletionSource`1 completion, String methodName, Boolean sendToPipe, Int32 timeout, Boolean asyncWrite) +538
   System.Data.SqlClient.SqlCommand.ExecuteNonQuery() +290
   newprofile.btnUpdate_Click(Object sender, EventArgs e) +759
   System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) +155
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +3804

我很茫然，感謝能提供的任何幫助。

Answer 1

如@JBKing所述，更新語法完全無效。

更新語句的形式為：

UPDATE myTableName SET field=new_value WHERE condition=some_value

另外，為避免可能的注入，請勿將字段值直接傳遞到SQL命令中。 使用參數如何在VB中的SQL命令中使用參數“ @”

Answer 2

cmd.CommandText = "UPDATE Profile (FirstName, LastName, Email, Telephone, EmployeeID, NTLogin) VALUES ('" & lblFirstName.Text & "','" & lblLastName.Text & "','" & lblEmail.Text & "','" & lblPhone.Text & "','" & lblEID.Text & "','" & lblNT.Text & "') Where [EmployeeID] = '" & lblEID.text & "'"

應該是這樣的：

cmd.CommandText = "UPDATE Profile SET FirstName='"&lblFirstName.Text&"', LastName='"&lblLastName.Text&"', Email='"&lblEmail.Text&"', Telephone='"&lblPhone.Text&"', EmployeeID='"&lblEID.Text&"', NTLogin='"&lblNT.Text&"' Where [EmployeeID] = '" & lblEID.text & "'"

對於可能會破壞您的SQL的諸如“ O'Connor”之類的姓氏，我會非常小心，因為在大多數情況下，最好使用存儲過程或參數來防止SQL注入攻擊。

Answer 3

感謝所有提供幫助的人。 在示例和共享的鏈接之間，我能夠重建命令以使其正確更新，並且現在可以使用參數化查詢而不是直接插入語句（或者至少對我而言正確的語句）進行設置，並且可以正常工作。

下面是我的最終代碼。

Try
        Dim con As New SqlConnection
        Dim cmd As New SqlCommand

        con.ConnectionString = "Data Source=server;Initial Catalog=database;Integrated Security=True"
        con.Open()
        cmd.Connection = con
        cmd.CommandText = ("UPDATE Profile SET FirstName = @FirstName, LastName = @LastName, Email = @Email, Telephone = @Telephone, EmployeeID = @EmployeeID, NTLogin = @NTLogin, Organization = @Organization, Permission = @Permission Where [EmployeeID] = '" & eID & "'")
        cmd.Parameters.Add("@FirstName", SqlDbType.VarChar).Value = lblFirstName.Text
        cmd.Parameters.Add("@LastName", SqlDbType.VarChar).Value = lblLastName.Text
        cmd.Parameters.Add("@Email", SqlDbType.VarChar).Value = lblEmail.Text
        cmd.Parameters.Add("@Telephone", SqlDbType.VarChar).Value = lblPhone.Text
        cmd.Parameters.Add("@EmployeeID", SqlDbType.VarChar).Value = lblEID.Text
        cmd.Parameters.Add("@NTLogin", SqlDbType.VarChar).Value = lblNT.Text
        cmd.Parameters.Add("@Organization", SqlDbType.VarChar).Value = lblOrg.Text
        cmd.Parameters.Add("@Permission", SqlDbType.VarChar).Value = "requestor"

        cmd.ExecuteNonQuery()
        con.close
        lblValid.Text = "Record Updated Successfully"
    Catch ex As System.Exception
        lblValid.Text = (ex.Message)
    End Try

謝謝！