我一直在为一些付款创建数据库,我的代码似乎有错误,我无法看到问题所在。我一直收到OleDbExecution中的“UPDATE语句中的语法错误”错误。有人可以帮忙吗?
这是我的代码:
Dim cnnOLEDB As New OleDbConnection
Dim cmdUpdate As New OleDbCommand
Dim conn As New OleDbConnection("Provider=Microsoft.ACE.OLEDB.12.0;Data Source=|DataDirectory|\UBSOMSPayments.accdb")
If TextBox1.Text <> "" Then
cmdUpdate.CommandText = "UPDATE Payments SET Position='" & TextBox2.Text & "'," & "PaymentRecipient='" & TextBox3.Text & "'," & "PaymentFor='" & TextBox4.Text & "'," & "Amount='" & TextBox5.Text & "'," & "PayedAmount='" & TextBox6.Text & "'" & " WHERE AssignedOfficer = " & Val(TextBox1.Text)
'1MsgBox(cmdUpdate.CommandText)
cmdUpdate.CommandType = CommandType.Text
cmdUpdate.Connection = conn
conn.Open()
cmdUpdate.ExecuteNonQuery() <--- Line where the error shows
conn.Close()
MsgBox("Record has been updated.")
Else
MsgBox("try again")
End If
cmdUpdate.Dispose()
您永远不应该使用字符串连接来构建SQL命令,但始终使用参数化查询来避免SQL注入。
试试这个:
将您的查询更改为以下内容:
"UPDATE [Payments] SET [Position] = ?, [PaymentRecipient] = ?, [PaymentFor] = ?, " & _
"[Amount] = ?, [PayedAmount] = ? & _
" WHERE [AssignedOfficer] = ?"
然后添加参数:
cmdUpdate.Parameters.AddWithValue("@p1", TextBox2.Text)
cmdUpdate.Parameters.AddWithValue("@p2", TextBox3.Text)
cmdUpdate.Parameters.AddWithValue("@p3", TextBox4.Text)
cmdUpdate.Parameters.AddWithValue("@p4", TextBox5.Text)
cmdUpdate.Parameters.AddWithValue("@p5", TextBox6.Text)
cmdUpdate.Parameters.AddWithValue("@p6", TextBox1.Text)
cmdUpdate.ExecuteNonQuery()