更新时间:2023-02-08 07:45:06
这种编写查询的方式从一开始就是错误的。您正在编写一个查询连接从UI获取的字符串的查询。在其他问题中,您可以通过这种方式邀请一个名为 SQL注入的知名漏洞利用程序。这是如下:
http://xkcd.com/327 [ ^ ]。
如需了解更多详情,请参阅我的过去答案:
在com.ExecuteNonQuery()中更新EROR; ; [ ^ ],
你的名字没有显示名字? [ ^ ]。
这是你需要做的:http://msdn.microsoft.com/en-us/library/ff648339.aspx [ ^ ]。-SA
对于任何日期字段,请使用#
arround日期。
替换:DueDate = + CBL_DueDate.DateTime +
附:
DueDate =# + CBL_DueDate.DateTime +#...
日期应格式化为ISO标准:MM / dd / yyyy
其中:MM
- 月dd
- 天yyyy
- 年
看看这里:查询标准的示例ia [ ^ ]
在Access查询中使用日期作为条件的示例 [ ^ ]
通常,您需要使用参数化查询。请参阅我的过去的答案 [ ^ ]。
[/ EDIT]
Hi, I try to update my form in that dateedite (InvoiceDate) getting Syntax error. This is my code. Help me to solve this ?
OleDbCommand top = new OleDbCommand("UPDATE NewInvoice_1 SET Terms = " + CBL_Terms.EditValue.ToString() + ", InvoiceDate= " + CBL_Date.DateTime + ", OurQuote='" + TXE_OurQuote.Text + "', SalesPerson=" + CBL_Sales_Person.EditValue.ToString() + ", CustomerName=" + CBL_Customer_Name.EditValue.ToString() + ", OrderNumber='" + TXE_Order_Number.Text + "', InvoiceAddress='" + TXE_Invoice_Address.Text + "', DeliveryAddress='" + TXE_Delivery_Address.Text + "', WholeDiscountP=" + Convert.ToDecimal(TXE_FlatDiscountP.Text) + ", WholeDiscountA=" + Convert.ToDecimal(TXE_FlatDiscountA.Text) + ", ShippingP=" + Convert.ToDecimal(TXE_ShippingPercentage.Text) + ", ShippingA=" + Convert.ToDecimal(TXE_ShippingAmount.Text) + ", Price=" + Convert.ToDecimal(TXE_SubTotal.Text) + ", Discount=" + Convert.ToDecimal(TXE_Discount.Text) + ", Tax=" + Convert.ToDecimal(TXE_Tax.Text) + ", Shipping=" + Convert.ToDecimal(TXE_Shipping.Text) + ", GrandTotal=" + Convert.ToDecimal(TXE_GrandTotal.Text) + ", TaxforDisc=" + barCheckItem1.Checked + ", DiscountType='" + selectedItem + "', ShippingBy='" + TXE_Shipping_By.Text + "',ShipReferenceNo='" + TXE_Reference_No.Text + "', IsInsured=" + CBX_Is_Insured.Checked + ", Notes='" + TXE_Notes.Text + "', DueDate=" + CBL_DueDate.DateTime + ", AmountinWords='" + TXE_AmountinWords.Text + "' WHERE InvoiceId=" + TXE_Unvisible.Text, conn);
top.ExecuteNonQuery();
Thank in advance.
This way of writing queries is wrong from the very beginning. You are composing a query concatenating strings taken from UI. Among other problems, this way, you invite a well-known exploit called SQL injection. This is how:
http://xkcd.com/327[^].
For further detail, please see my past answers:
EROR IN UPATE in com.ExecuteNonQuery();[^],
hi name is not displaying in name?[^].
This is what you need to do: http://msdn.microsoft.com/en-us/library/ff648339.aspx[^].—SA
For any date field, use#
arround the date.
Replace:DueDate=" + CBL_DueDate.DateTime + "
With:DueDate=#" + CBL_DueDate.DateTime + "# ..."
Date should be formatted in ISO standard:MM/dd/yyyy
where:MM
- monthdd
- dayyyyy
- year
Have a look here: Examples of query criteria[^]
Examples of using dates as criteria in Access queries[^]
[EDIT]
As a rule, you need to use parameterized queries. See my past answers[^].
[/EDIT]