-1

コードは正常に機能し、SQL Server Management Studio でクエリとして使用するとテーブルに挿入されます。私はSQLが初めてなので、助けていただければ幸いです。

SQL Server Management Studio クエリ:

INSERT INTO Site(
    Sub_Company_ID, 
    Site_Name, 
    Site_Code, 
    Site_Address_1, 
    Site_Address_2, 
    Site_Address_3, 
    Site_Address_4, 
    Site_Postcode, 
    Site_Email, 
    Site_Username, 
    Site_Password, 
    Site_Order_Budget, 
    Site_Float, 
    Site_Managment_Percentage, 
    Site_Bond_Percentage, 
    Site_Minimum_Fee) 
    VALUES(
    '01', 
    'a', 
    '1', 
    'c', 
    'd', 
    'e', 
    'f', 
    'g', 
    'h', 
    'i', 
    'j', 
    '1',
    '2', 
    '3',
    '4',
    '5')

ただし、実際のプログラムで使用すると、site_name のテキストに入力されたものに対して例外エラーが発生します。定数、式、または変数のみが許可されていると書かれていますが、SQLステートメントで文字列「a」を使用する場合、この問題はありません。(これはプログラムの 1 行にあるので、ここで読みやすくしようとしました)。

プログラムコード:

Dim str As String = "INSERT INTO Site(
    Sub_Company_ID, 
    Site_Name, 
    Site_Code, 
    Site_Address_1, 
    Site_Address_2, 
    Site_Address_3, 
    Site_Address_4, 
    Site_Postcode, 
    Site_Email, 
    Site_Username, 
    Site_Password, 
    Site_Order_Budget, 
    Site_Float, 
    Site_Managment_Percentage, 
    Site_Bond_Percentage, 
    Site_Minimum_Fee) 
    VALUES(" 
    & lstSubCompany.SelectedValue & "," 
    & txtSiteName.Text & "," 
    & txtSiteCode.Text & "," 
    & txtAddress1.Text & "," 
    & txtAddress2.Text & "," 
    & txtAddress3.Text & "," 
    & txtAddress4.Text & "," 
    & txtPostcode.Text & "," 
    & txtEmail.Text & ","
    & txtUsername.Text & "," 
    & txtPassword.Text & "," 
    & txtOrderBudget.Text & "," 
    & txtFloat.Text & "," 
    & txtManagmentFee.Text & "," 
    & txtBond.Text & "," 
    & txtMinimumFee.Text & ")"
4

2 に答える 2

0

このコードにより、SQL インジェクションを回避でき、更新ステートメントに正しい '' を追加することを心配する必要がなくなります。メンテナンスもしやすくなります。

 Using connection As New SqlConnection(connectionString)

Dim str As String = "INSERT INTO Site(Sub_Company_ID, Site_Name, Site_Code," & _
"Site_Address_1,Site_Address_2, Site_Address_3, Site_Address_4, Site_Postcode," & _
"Site_Email, Site_Username," & _
"Site_Password,Site_Order_Budget,Site_Float, Site_Managment_Percentage," & _
"Site_Bond_Percentage,Site_Minimum_Fee) " & _
"VALUES(@SubCompany,@SiteName,@SiteCode,@Address1,@Address2,@Address3," & _
"@Address4,@Address4,@Postcode,@Email,@Username,@Password,@OrderBudget," & _
"@Float,@Management,@Bond,@MinimumFee)"
            Dim cmd As New SqlCommand(str, connection)
            cmd.Parameters.AddWithValue("@SubCompany", lstSubCompany.SelectedValue)
            cmd.Parameters.AddWithValue("@SubCompany", txtSiteName.Text)
            cmd.Parameters.AddWithValue("@SubCompany", txtSiteCode.Text)
            cmd.Parameters.AddWithValue("@Address1", txtAddress1.Text)
            cmd.Parameters.AddWithValue("@Address2", txtAddress2.Text)
            cmd.Parameters.AddWithValue("@Address3", txtAddress3.Text)
            cmd.Parameters.AddWithValue("@Address4", txtAddress4.Text)
            cmd.Parameters.AddWithValue("@Postcode", txtPostcode.Text)
            cmd.Parameters.AddWithValue("@Email", txtEmail.Text)
            cmd.Parameters.AddWithValue("@Username", txtUsername.Text)
            cmd.Parameters.AddWithValue("@Password", txtPassword.Text)
            cmd.Parameters.AddWithValue("@OrderBudget", txtOrderBudget.Text)
            cmd.Parameters.AddWithValue("@Float", txtFloat.Text)
            cmd.Parameters.AddWithValue("@Management", txtManagmentFee.Text)
            cmd.Parameters.AddWithValue("@Bond", txtBond.Text)
            cmd.Parameters.AddWithValue("@MinimumFee", txtMinimumFee.Text)
            Try
                connection.Open()
                Dim rowsAffected As Integer = cmd.ExecuteNonQuery()
                Console.WriteLine("RowsAffected: {0}", rowsAffected)

            Catch ex As Exception
                Console.WriteLine(ex.Message)
            End Try
        End Using
于 2013-07-19T15:29:15.637 に答える