SQL 语句末尾缺少分号 (;)
Missing semicolon(;) at end of SQL statement
我不知道应该把分号放在哪里。这是我的代码:
Try
cn.Open()
Dim query As String = "INSERT INTO CheckoutTable(PatientID,_Name,_Age,_Gender,_Phone,_Address,_Disease,_DateIN,_DateOUT,_Building,_RoomNo,_RoomType,_UnitPrice,_Status,_MASP,_Price) VALUES('" & txtPID.Text & "','" & txtName.Text & "','" & txtAge.Text & "','" & cmbGender.Text & "','" & txtPhone.Text & "','" & txtAddress.Text & "','" & txtDisease.Text & "',' " & txtDI.Text & " ',' " & txtDO.Text & " ','" & txtRT.Text & "','" & txtBuilding.Text & "','" & txtRN.Text & "',' " & txtMNS.Text & " ',' " & txtUnitPrice.Text & " ',' " & cmbStatus.Text & " ','" & txtPrice.Text & "')" & _
"DELETE From RegistrationTable where [_Name]='" & ListBox1.Text & "'" & _
"Select * from RegistrationTable"
Dim cmds As New OleDbCommand
With cmds
.CommandText = query
.Connection = cn
.ExecuteNonQuery()
End With
MsgBox("Checkout Success", MsgBoxStyle.Information)
cn.Close()
Catch ex As Exception
MsgBox(ex.Message)
End Try
Try
cn.Open()
Dim insertQuery as String = "INSERT INTO CheckoutTable(PatientID,_Name,_Age,_Gender,_Phone,_Address,_Disease,_DateIN,_DateOUT,_Building,_RoomNo,_RoomType,_UnitPrice,_Status,_MASP,_Price) " & _
"VALUES(@PatientID, @Name, @Age, @Gender, @Phone, @Address, @Disease , @DateIn, @DateOut, @Building, @RoomNo, @RoomType, @UnitPrice, @Status, @MASP, @Price) "
Dim deleteQuery as String = "DELETE From RegistrationTable where [_Name]= @RegName "
Dim selectQuery as String = "Select * from RegistrationTable"
Dim insertCmd As New OleDbCommand
Dim deleteCmd as New OleDbCommand
With insertCmd
.Connection = cn
.CommandText = insertQuery
.Parameters.AddWithValue("@PatientID", txtPID.Text)
.Parameters.AddWithValue("@Name", txtName.Text)
.Parameters.AddWithValue("@Age", txtAge.Text)
.Parameters.AddWithValue("@Gender", cmbGender.Text)
.Parameters.AddWithValue("@Phone", txtPhone.Text)
.Parameters.AddWithValue("@Address", txtAddress.Text)
.Parameters.AddWithValue("@Disease", txtDisease.Text)
.Parameters.AddWithValue("@DateIn", txtDI.Text)
.Parameters.AddWithValue("@DateOUT", txtDO.Text)
.Parameters.AddWithValue("@Building", txtBuilding.Text)
.Parameters.AddWithValue("@RoomNo", txtRN.Text)
.Parameters.AddWithValue("@RoomType", txtRT.Text)
.Parameters.AddWithValue("@UnitPrice", txtUnitPrice.Text)
.Parameters.AddWithValue("@MASP", txtMNS.Text)
.Parameters.AddWithValue("@Status", cmbStatus.Text)
.Parameters.AddWithValue("@Price", txtPrice.Text)
.ExecuteNonQuery()
End With
With deleteCmd
.Connection = cn
.CommandText = deleteQuery
.Parameters.AddWithValue("@RegName", ListBox1.Text)
.ExecuteNonQuery()
End With
MsgBox("Checkout Success", MsgBoxStyle.Information)
cn.Close()
Catch ex As Exception
MsgBox(ex.Message)
End Try
@StingyJack 是对的,如果我可以访问您的界面,我可以从周日开始以 6 种方式破坏您的数据库,因为您目前没有采取任何措施来减轻 SQL 注入。除了参数化您的查询以防止注入之外,我还消除了对 HAVE 的需求。在查询中每个 DML 语句的末尾,将它们分解成单独的命令。 select 并显示它的结果,我留给你。
我不知道应该把分号放在哪里。这是我的代码:
Try
cn.Open()
Dim query As String = "INSERT INTO CheckoutTable(PatientID,_Name,_Age,_Gender,_Phone,_Address,_Disease,_DateIN,_DateOUT,_Building,_RoomNo,_RoomType,_UnitPrice,_Status,_MASP,_Price) VALUES('" & txtPID.Text & "','" & txtName.Text & "','" & txtAge.Text & "','" & cmbGender.Text & "','" & txtPhone.Text & "','" & txtAddress.Text & "','" & txtDisease.Text & "',' " & txtDI.Text & " ',' " & txtDO.Text & " ','" & txtRT.Text & "','" & txtBuilding.Text & "','" & txtRN.Text & "',' " & txtMNS.Text & " ',' " & txtUnitPrice.Text & " ',' " & cmbStatus.Text & " ','" & txtPrice.Text & "')" & _
"DELETE From RegistrationTable where [_Name]='" & ListBox1.Text & "'" & _
"Select * from RegistrationTable"
Dim cmds As New OleDbCommand
With cmds
.CommandText = query
.Connection = cn
.ExecuteNonQuery()
End With
MsgBox("Checkout Success", MsgBoxStyle.Information)
cn.Close()
Catch ex As Exception
MsgBox(ex.Message)
End Try
Try
cn.Open()
Dim insertQuery as String = "INSERT INTO CheckoutTable(PatientID,_Name,_Age,_Gender,_Phone,_Address,_Disease,_DateIN,_DateOUT,_Building,_RoomNo,_RoomType,_UnitPrice,_Status,_MASP,_Price) " & _
"VALUES(@PatientID, @Name, @Age, @Gender, @Phone, @Address, @Disease , @DateIn, @DateOut, @Building, @RoomNo, @RoomType, @UnitPrice, @Status, @MASP, @Price) "
Dim deleteQuery as String = "DELETE From RegistrationTable where [_Name]= @RegName "
Dim selectQuery as String = "Select * from RegistrationTable"
Dim insertCmd As New OleDbCommand
Dim deleteCmd as New OleDbCommand
With insertCmd
.Connection = cn
.CommandText = insertQuery
.Parameters.AddWithValue("@PatientID", txtPID.Text)
.Parameters.AddWithValue("@Name", txtName.Text)
.Parameters.AddWithValue("@Age", txtAge.Text)
.Parameters.AddWithValue("@Gender", cmbGender.Text)
.Parameters.AddWithValue("@Phone", txtPhone.Text)
.Parameters.AddWithValue("@Address", txtAddress.Text)
.Parameters.AddWithValue("@Disease", txtDisease.Text)
.Parameters.AddWithValue("@DateIn", txtDI.Text)
.Parameters.AddWithValue("@DateOUT", txtDO.Text)
.Parameters.AddWithValue("@Building", txtBuilding.Text)
.Parameters.AddWithValue("@RoomNo", txtRN.Text)
.Parameters.AddWithValue("@RoomType", txtRT.Text)
.Parameters.AddWithValue("@UnitPrice", txtUnitPrice.Text)
.Parameters.AddWithValue("@MASP", txtMNS.Text)
.Parameters.AddWithValue("@Status", cmbStatus.Text)
.Parameters.AddWithValue("@Price", txtPrice.Text)
.ExecuteNonQuery()
End With
With deleteCmd
.Connection = cn
.CommandText = deleteQuery
.Parameters.AddWithValue("@RegName", ListBox1.Text)
.ExecuteNonQuery()
End With
MsgBox("Checkout Success", MsgBoxStyle.Information)
cn.Close()
Catch ex As Exception
MsgBox(ex.Message)
End Try
@StingyJack 是对的,如果我可以访问您的界面,我可以从周日开始以 6 种方式破坏您的数据库,因为您目前没有采取任何措施来减轻 SQL 注入。除了参数化您的查询以防止注入之外,我还消除了对 HAVE 的需求。在查询中每个 DML 语句的末尾,将它们分解成单独的命令。 select 并显示它的结果,我留给你。