[英]saving parentheses or quotations into sql in vb.net
我在vb項目中有一個保存命令。 問題是它不會保存帶有“”或括號的文本。 我認為這與sql命令有關。這是我用於保存和更新的代碼
保存
Dim myAdapter As New MySqlDataAdapter
Dim myDatatable As New DataTable
Dim command As New MySqlCommand
Dim add As String
add = "INSERT INTO tracker.recordtracker (Action_Taken,Marginal_Note,Remarks,Type_of_Document,Referred_Date,Items,Received_From,Received_Date,Referred_To,recdate,refdate)values('" + acttaken.Text + "','" + margnote.Text + "','" + remarks.Text + "','" + doctype.Text + "','" + rfrldatelbl.Text + "','" + itemtbx.Text + "','" + rfromtbx.Text + "','" + rcvdate.Text + "','" + reftotbx.Text + "' ,'" + rdate.Text + "',@refdate)"
command = New MySqlCommand(add, connection)
refdate.CustomFormat = "yyyy-MM-dd"
myAdapter.SelectCommand = command
myAdapter.Fill(myDatatable)
MsgBox("Data has been successfully added.")
clearfield()
loaddatabase()
connection.Close()
connection.Dispose()
Catch ex As Exception
MsgBox(ex.Message)
End Try
更新
Try
connection.Open()
rcvdate.Text = rdate.Text
If refdate.Checked = False Then
rfrldatelbl.Text = "____-__-__"
Else
refdate.CustomFormat = "yyyy-MM-dd"
rfrldatelbl.Text = refdate.Text + " " + TimeOfDay
End If
Dim query As String
query = "update tracker.recordtracker set Action_Taken='" & acttaken.Text & "', Marginal_Note='" & margnote.Text & "', Remarks='" & remarks.Text & "',Type_of_Document='" & doctype.Text & "', Items = '" & itemtbx.Text & "', Referred_To='" & reftotbx.Text & "', Referred_Date='" & rfrldatelbl.Text & "',recdate='" & rdate.Text & "',refdate='" & refdate.Text & "' where id = '" & ID.Text & "'"
utos = New MySqlCommand(query, connection)
reader = utos.ExecuteReader
MsgBox("Data has been changed.")
connection.Close()
loaddatabase()
connection.Close()
connection.Dispose()
Catch ex As Exception
MsgBox(ex.Message)
End Try
您已經附加了構成SQL查詢的字符串。 您將需要閱讀有關SQL injection
以了解為什么這是一個糟糕的主意。 但是從根本上講,它允許任何有權提交將您附加到字符串中的值的人控制數據庫。 您可能想要做類似的事情:
Dim sql As String = "INSERT INTO foo (baz) VALUES (@Baz)"
Using cn As New SqlConnection("Your connection string here"), _
cmd As New SqlCommand(sql, cn)
cmd.Parameters.Add("@Baz", SqlDbType.VarChar, 50).Value = Baz
cmd.ExecuteNonQuery()
解決您的問題。
來自MySQL參考
字符串是字節或字符序列,用單引號(“'”)或雙引號(“”“)括起來
所以'
是保留字符。
如果要在字符串的內容中使用轉義序列\\'
則需要使用轉義序列\\'
。
但是正如@Matt Fellows在他的答案中提到的,在數據庫中保存字符串值的更好的做法是SqlParameters
使用SqlParameter
您不需要使用轉義序列,字符串將按原樣保存(基於列的類型)
Dim param As New SqlParameter With {.ParameterName="@text",
.SqlDbType = SqlDbType.VarChar,
.Value = "Your 'Name' in quotes"}
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.