2016-05-12 48 views
2

美好的一天!我在插入我的程序時遇到了一個小問題。看,代碼沒有錯誤,但我嘗試插入時遇到了OleDb異常。我的項目做工精細的其他部分,但有一個很小的問題,在這裏,我似乎無法找到插入函數到我的數據庫程序的問題

public void Insert() 
    { 
     //myDb = new OleDbConnection(conn + dbFile); 
     myDb.Open(); 
     OleDbDataAdapter adapter = new OleDbDataAdapter("SELECT * FROM Employee", myDb); 
     // 
     OleDbCommand cmd = new OleDbCommand("INSERT INTO Employee(Username, Password, email, phone) VALUES ('" + insUn + "','" + insPass + "','" + insNm + "','" + insNmr + "')", myDb); 

     adapter.InsertCommand = cmd; 

     adapter.InsertCommand.ExecuteNonQuery(); 



     DataSet ds = new DataSet(); 
     adapter.Fill(ds, "Employee"); 

     dataGridView1.DataSource = ds; 
     dataGridView1.DataMember = "Employee"; 

     myDb.Close(); 
    } 

的其他功能,如搜索和刪除工作,但我不能在這裏找到問題

這些是例外:

try 
     { 
      if (textBox2.Text != "") 
      { 
       insUn = textBox2.Text; 
       insNmr = textBox4.Text; 
       insPass = textBox3.Text; 
       insNm = textBox5.Text; 
      } 
      Insert(); 
     } 
     catch (OleDbException ex) 
     { 
      MessageBox.Show("Error, please try again", "Exception", MessageBoxButtons.RetryCancel, MessageBoxIcon.Error); 
     } 
     catch (FormatException ex) 
     { 
      MessageBox.Show("One or more fields have not been entered. Please check and re-enter", "Missing fields", MessageBoxButtons.OK, MessageBoxIcon.Hand); 
     } 



enter code here 
+0

你看到了什麼oledb異常?另外,你是否知道[sql注入](http://bobby-tables.com/)? –

+0

雖然 –

+0

我正在捕獲異常,但並未查看異常的詳細信息,但我並不真正瞭解sql注入。您需要查看堆棧跟蹤和/或異常正在返回的消息 – Kritner

回答

0

我建議你使用Parameter避免SQL注入,並把括號[]在查詢[Password],因爲它是象下面這樣的關鍵字:

public void Insert() 
{ 
    //myDb = new OleDbConnection(conn + dbFile); 
    myDb.Open(); 

    OleDbCommand cmd = new OleDbCommand("INSERT INTO Employee(Username, [Password], email, phone) VALUES (@Username, @Password, @email, @phone)", myDb); 
    cmd.Parameters.AddWithValue("@Username", insUn); 
    cmd.Parameters.AddWithValue("@Password", insPass); 
    cmd.Parameters.AddWithValue("@email", insNm); 
    cmd.Parameters.AddWithValue("@phone", insNmr); 
    cmd.ExecuteNonQuery(); 

    OleDbDataAdapter adapter = new OleDbDataAdapter("SELECT * FROM Employee", myDb); 
    DataSet ds = new DataSet(); 
    adapter.Fill(ds, "Employee"); 

    dataGridView1.DataSource = ds; 
    dataGridView1.DataMember = "Employee"; 

    myDb.Close(); 
} 
+0

謝謝!現在讓我試試吧 –

+0

我仍然在這裏得到一個錯誤http://imgur.com/urZ7KzV –

+0

我有更改代碼的答案你可以試試 –

0

Abdellah的答案是可行的,但在構建查詢字符串時要注意SQL注入攻擊。你應該這樣構建:

OleDbCommand cmd = new OleDbCommand("INSERT INTO Employee(Username, Password, email, phone) VALUES (@p1, @p2, @p3, @p4)", myDb); 
int maxSize = 50; 
cmd.Paramters.Add("@p1", SqlDbType.VarChar, maxSize).Value = insUn; 
cmd.Parameters.Add("@p2", SqlDbType.VarChar, maxSize).Value = insPass; 
cmd.Parameters.Add("@p3", SqlDbType.VarChar, maxSize).Value = insNm; 
cmd.Parameters.Add("@p4", SqlDbType.VarChar, maxSize).Value = insNmr;