1. 首頁
  2. 問答
  3. 有些值不會在數據庫

有些值不會在數據庫

2012-08-10 52 views
-1

商店,我有這樣的代碼:有些值不會在數據庫

Private Sub btnAdd_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btnAdd.Click 

    If txtCode.Text <> "878" Then 
     If ((txtCode.Text <> "") And (txtRefNo.Text <> "") And (txtPayee.Text <> "") And (txtOffice.Text <> "") And (txtAddress.Text <> "") And (txtParticulars.Text <> "") And (txtPPA.Text <> "") And (txtAmount.Text <> "")) Then 
      Try 
       If IsNumeric(txtAmount.Text) = False Then 
        MsgBox("Amount value should be in correct number format! e.g: 10000.00 or 10,000.00", MsgBoxStyle.Exclamation) 
        Exit Sub 
       End If 

       modGlobalFunctions.Connection.Close() 
       modGlobalFunctions.connectDatabase() 

       modGlobalFunctions.DateTimeNow = String.Format("{0:yyyy/MM/dd}", DateTime.Now) 

       Dim Reader As MySqlDataReader 
       Dim Amount As Double = Double.Parse(txtAmount.Text) 

       Reader = modGlobalFunctions.executeQuery("SELECT * FROM obligations " & _ 
                 "WHERE ref_no='" & txtRefNo.Text & "'") 
       If Reader.HasRows Then 
        MessageBox.Show("Could not insert duplicate entries for REFERENCE NO.!", "Form Validations", MessageBoxButtons.OK, MessageBoxIcon.Error) 
        Reader.Close() 
        modGlobalFunctions.Connection.Close() 

       Else 
        modGlobalFunctions.Connection.Close() 
        modGlobalFunctions.connectDatabase() 

        modGlobalFunctions.executeNonQuery("INSERT INTO obligations (resp_id, year_id, expenditure_id, ref_no, payee, office, address, particulars, ppa, amount, date_entered, date_edited, signature1, position1, signature2, position2) " & _ 
                 "VALUES ('" & RespCenterId & "', " & _ 
                   "'" & YearId & "', " & _ 
                   "'" & txtExpId.Text & "', " & _ 
                   "'" & modGlobalFunctions.addslashes(txtRefNo.Text) & "', " & _ 
                   "'" & modGlobalFunctions.addslashes(txtPayee.Text) & "', " & _ 
                   "'" & modGlobalFunctions.addslashes(txtOffice.Text) & "', " & _ 
                   "'" & modGlobalFunctions.addslashes(txtAddress.Text) & "', " & _ 
                   "'" & modGlobalFunctions.addslashes(txtParticulars.Text) & "', " & _ 
                   "'" & modGlobalFunctions.addslashes(txtPPA.Text) & "', " & _ 
                   "'" & Amount & "', " & _ 
                   "'" & modGlobalFunctions.DateTimeNow & "', " & _ 
                   "'" & modGlobalFunctions.DateTimeNow & "', " & _ 
                   "'" & Signature1 & "', " & _ 
                   "'" & Position1 & "', " & _ 
                   "'" & Signature2 & "', " & _ 
                   "'" & Position2 & "')") 

        MsgBox("Record has been added!", MsgBoxStyle.Information) 
        modGlobalFunctions.Connection.Close() 

        Me.Close() 
        Dispose() 
        frmObligations.MdiParent = frmMain 
        frmObligations.Show() 
        frmObligations.obligationLoadGrid() 

       End If 

      Catch ex As Exception 
       MessageBox.Show(ex.Message, "BIMS", MessageBoxButtons.OK, MessageBoxIcon.Error) 
      End Try 

     Else 
      MsgBox("Please fill up all form fields!", MsgBoxStyle.Exclamation) 
      modGlobalFunctions.Connection.Close() 
     End If 

     modGlobalFunctions.Connection.Close() 


    Else 

     If ((txtCode.Text <> "") And (txtRefNo.Text <> "") And (txtPayee.Text <> "") And (txtOffice.Text <> "") And (txtAddress.Text <> "") And (txtParticulars.Text <> "")) Then 
      Try 

       modGlobalFunctions.Connection.Close() 
       modGlobalFunctions.connectDatabase() 

       modGlobalFunctions.DateTimeNow = String.Format("{0:yyyy/MM/dd}", DateTime.Now) 

       Dim Reader As MySqlDataReader 

       Reader = modGlobalFunctions.executeQuery("SELECT * FROM obligations " & _ 
                 "WHERE ref_no='" & txtRefNo.Text & "'") 
       If Reader.HasRows Then 
        MessageBox.Show("Could not insert duplicate entries for REFERENCE NO.!", "Form Validations", MessageBoxButtons.OK, MessageBoxIcon.Error) 
        Reader.Close() 
        modGlobalFunctions.Connection.Close() 
       Else 
        modGlobalFunctions.Connection.Close() 
        modGlobalFunctions.connectDatabase() 

        modGlobalFunctions.executeNonQuery("INSERT INTO obligations (resp_id, year_id, expenditure_id, ref_no, payee, office, address, particulars, date_entered, date_edited, signature1, position1, signature2, position2) " & _ 
                 "VALUES ('" & RespCenterId & "', " & _ 
                   "'" & YearId & "', " & _ 
                   "'" & txtExpId.Text & "', " & _ 
                   "'" & modGlobalFunctions.addslashes(txtRefNo.Text) & "', " & _ 
                   "'" & modGlobalFunctions.addslashes(txtPayee.Text) & "', " & _ 
                   "'" & odGlobalFunctions.addslashes(txtOffice.Text) & "', " & _ 
                   "'" & modGlobalFunctions.addslashes(txtAddress.Text) & "', " & _ 
                   "'" & modGlobalFunctions.addslashes(txtParticulars.Text) & "', " & _ 
                   "'" & modGlobalFunctions.DateTimeNow & "', " & _ 
                   "'" & modGlobalFunctions.DateTimeNow & "', " & _ 
                   "'" & Signature1 & "', " & _ 
                   "'" & Position1 & "', " & _ 
                   "'" & Signature2 & "', " & _ 
                   "'" & Position2 & "')") 

        MsgBox("Record has been added! You can now add project title!", MsgBoxStyle.Information) 
        frmProject.MdiParent = frmMain 
        frmProject.Show() 
        frmProject.Label2.Text = txtRefNo.Text 
        Me.Enabled = False 

       End If 

      Catch ex As Exception 
       MessageBox.Show(ex.Message, "BIMS", MessageBoxButtons.OK, MessageBoxIcon.Error) 
      End Try 

     Else 
      MsgBox("Please fill up all form fields!", MsgBoxStyle.Exclamation) 
      modGlobalFunctions.Connection.Close() 
     End If 

     modGlobalFunctions.Connection.Close() 

    End If 

End Sub

有什麼看法就是爲什麼Signature1,位置1,簽名2和職位2不存儲在數據庫中的問題。它的工作原理之前很正常,直到我把因爲類的,如果代碼...順便說一下這裏的signature1,位置1,簽名2和位置2的代碼:

Signature1:

 Private Sub cbSignatory1_SelectedIndexChanged(ByVal sender As System.Object, ByVal e As System.EventArgs) 
    Try 
     modGlobalFunctions.Connection.Close() 
     modGlobalFunctions.connectDatabase() 

     Reader = modGlobalFunctions.executeQuery("SELECT person_id FROM persons WHERE person_name='" & cbSignatory1.Text & "'") 

     If Reader.HasRows Then 
      While Reader.Read 
       Signature1 = Reader("person_id").ToString() 
      End While 
     End If 

     Reader.Close() 

     modGlobalFunctions.Connection.Close() 

    Catch ex As Exception 
     MessageBox.Show(ex.Message, "BIMS", MessageBoxButtons.OK, MessageBoxIcon.Error) 
    End Try 

    modGlobalFunctions.Connection.Close() 
End Sub

簽名2:

Private Sub cbSignatory2_SelectedIndexChanged(ByVal sender As System.Object, ByVal e As System.EventArgs) 
    Try 
     modGlobalFunctions.Connection.Close() 
     modGlobalFunctions.connectDatabase() 

     Reader = modGlobalFunctions.executeQuery("SELECT person_id FROM persons WHERE person_name='" & cbSignatory2.Text & "'") 

     If Reader.HasRows Then 
      While Reader.Read 
       Signature2 = Reader("person_id").ToString() 
      End While 
     End If 

     Reader.Close() 

     modGlobalFunctions.Connection.Close() 

    Catch ex As Exception 
     MessageBox.Show(ex.Message, "BIMS", MessageBoxButtons.OK, MessageBoxIcon.Error) 
    End Try 

    modGlobalFunctions.Connection.Close() 
End Sub

位置1:

Private Sub cbPosition1_SelectedIndexChanged(ByVal sender As System.Object, ByVal e As System.EventArgs) 
    Try 
     modGlobalFunctions.Connection.Close() 
     modGlobalFunctions.connectDatabase() 

     Reader = modGlobalFunctions.executeQuery("SELECT position_id FROM positions WHERE position_name='" & cbPosition1.Text & "'") 

     If Reader.HasRows Then 
      While Reader.Read 
       Position1 = Reader("position_id").ToString() 
      End While 
     End If 

     Reader.Close() 

     modGlobalFunctions.Connection.Close() 

    Catch ex As Exception 
     MessageBox.Show(ex.Message, "BIMS", MessageBoxButtons.OK, MessageBoxIcon.Error) 
    End Try 

    modGlobalFunctions.Connection.Close() 
End Sub

職位2:

Private Sub cbPosition2_SelectedIndexChanged(ByVal sender As System.Object, ByVal e As System.EventArgs) 
    Try 
     modGlobalFunctions.Connection.Close() 
     modGlobalFunctions.connectDatabase() 

     Reader = modGlobalFunctions.executeQuery("SELECT position_id FROM positions WHERE position_name='" & cbPosition2.Text & "'") 

     If Reader.HasRows Then 
      While Reader.Read 
       Position2 = Reader("position_id").ToString() 
      End While 
     End If 

     Reader.Close() 

     modGlobalFunctions.Connection.Close() 


    Catch ex As Exception 
     MessageBox.Show(ex.Message, "BIMS", MessageBoxButtons.OK, MessageBoxIcon.Error) 
    End Try 

    modGlobalFunctions.Connection.Close() 
End Sub

有什麼建議嗎?

來源

2012-08-10 bayan0926

+1

請*使用佔位符/參數*(看這件事,修復代碼,和*然後*參見堅持什麼問題)。不僅*可能會「修復」這個問題,它會阻止SQL注入攻擊。 – 2012-08-10 00:46:02

+0

,因爲它只是添加這就是爲什麼沒有更新... – bayan0926 2012-08-10 01:00:01

+0

插入記錄時沒有出現任何錯誤? – 2012-08-10 01:12:29

回答

2

我敢打賭Person_IDposition_id是數據庫中的數字類型。對?之所以沒有插入,是因爲您用單引號將它包裹起來:

"'" & Signature1 & "', " & _  // <== here 
"'" & Position1 & "', " & _ 
"'" & Signature2 & "', " & _ 
"'" & Position2 & "'

數字值不包含單引號。還有一件事,我建議你使用Commandparameters來避免SQL注入。

例如基於代碼:

Dim sqlStatement AS String = "INSERT INTO obligations (resp_id, year_id, expenditure_id, " 
sqlStatement &= "ref_no, payee, office, address, particulars, ppa, amount, date_entered, " 
sqlstetement &= "date_edited, signature1, position1, signature2, position2) " 
sqlstetement &= "VALUES (@resp_id, @year_id, @expenditure_id, " 
sqlStatement &= "@ref_no, @payee, @office, @address, @particulars, @ppa, @amount, @date_entered, " 
sqlstetement &= "@date_edited, @signature1, @position1, @signature2, @position2) " 

Using xConn AS New MySQLConnection(connStrHere) 
    Using xComm AS New MySQLCommand() 
     With xComm 
      .Connection = xConn 
      .CommandType = CommandType.Text 
      .CommandText = sqlStatement 
      .Parameter.AddWithValue("@resp_id", RespCenterId) 
      .Parameter.AddWithValue("@year_id", YearId) 
      .Parameter.AddWithValue("@expenditure_id", txtExpId.Text) 
      ' continue with other parameters 
      ' ..... 
      ' until you reach the last parameters ' 
      .Parameter.AddWithValue("@signature1", Signature1) 
      .Parameter.AddWithValue("@position1", Position1) 
      .Parameter.AddWithValue("@signature2", Signature2) 
      .Parameter.AddWithValue("@position2", Position2) 
     End With 
     Try 
      xConn.Open() 
      xComm.ExecuteNonQuery() 
      MsgBox("Record has been added!", MsgBoxStyle.Information) 
     Catch ex AS MySQLException 
      MsgBox(e.Message, MsgBoxStyle.Exclamation) 
     Finally 
      xConn.Open() 
     End try 
    End Using 
End Using

來源

2012-08-10 02:13:47

+0

+1顯示參數的使用*但是*,它應該*好吧*如果數字由於隱式強制包裹在(字符串)單引號中。 – 2012-08-10 02:39:53

+0

謝謝.. pinoy ka pala ... salamat :)我會試試這:) – bayan0926 2012-08-10 05:03:27

相關問題

 相關問題