在使用SQL Server 2012時在vb中使用參數化查詢

Question

當我參數化查詢時，出現「必須聲明標量變量」的錯誤。我是使用SQL Server的新手。而我使用的版本是SQL Server 2012的下面是代碼片段：

Protected Sub Main_Page 
    Dim con as OleDbConnection 
    Dim cmd as OleDbCommand 
    Dim query as String 

    con = New OleDbConnection("Provider=SQLNCLI11;Data Source=ARIES-PC\SQLEXPRESS;Integrated Security=SSPI;Initial Catalog=SchoolDB") 
    con.Open() 
    query = "INSERT INTO Instructors(FirstName,LastName,Address,Contact_Number) VALUES (@fname,@lname,@address,@number)" 
    cmd = New OleDbCommand(query, con) 
    cmd.Parameters.AddWithValue("@fname", txtFirstName.Text) 
    cmd.Parameters.AddWithValue("@lname", txtLastName.Text) 
    cmd.Parameters.AddWithValue("@address", txtAddress.Text) 
    cmd.Parameters.AddWithValue("@number", txtContact.Text) 
    cmd.ExecuteNonQuery() 
    cmd.Dispose() 
    con.Close() 
    Response.Write(<script>alert('Success!')</script>) 
End Sub 

Answer 1

參數化查詢，以避免SQL注入，所以最好的做法使用帶有參數的簡單的存儲過程，它的正常工作。

你的C＃代碼

Protected Sub Main_Page() 
     Dim con As OleDbConnection 
     Dim cmd As OleDbCommand 

     con = New OleDbConnection("Provider=SQLNCLI11;Data Source=ARIES-PC\SQLEXPRESS;Integrated Security=SSPI;Initial Catalog=SchoolDB") 

     con.Open() 
     cmd = New OleDbCommand("spSaveData", con) 
     cmd.CommandType = CommandType.StoredProcedure 
     cmd.Parameters.AddWithValue("@fname", txtFirstName.Text) 
     cmd.Parameters.AddWithValue("@lname", txtLastName.Text) 
     cmd.Parameters.AddWithValue("@address", txtAddress.Text) 
     cmd.Parameters.AddWithValue("@number", txtContact.Text) 
     cmd.ExecuteNonQuery() 
     cmd.Dispose() 
     con.Close() 
     Response.Write(<script>alert('Success!')</script>) 

    End Sub 

你的存儲過程的代碼

CREATE PROCEDURE spSaveData 
    @fname varchar(200), 
    @lname varchar(200), 
    @address varchar(300), 
    @number int 
AS 
BEGIN 
    INSERT INTO Instructors(FirstName, LastName, Address, Contact_Number) 
    VALUES (@fname, @lname, @address, @number) 
END