vb.net - SQL - 配对查询时出错
vb.net - SQL - Error paring the query
我在我的 AutoCAD 插件应用程序中收到此 SQL 错误。 “[令牌行号 =1,令牌行偏移量 = 110,错误令牌 = desc]”。我逐步完成 table 提取 dbText 信息并将其传递到我的数据库中。根据一些帖子,我尝试在 table 名称周围添加 [] 并在值之前添加 @,但两种解决方案均无效。
Using myTrans As Transaction = myDB.TransactionManager.StartTransaction
Dim myLayerTable As LayerTable = myDB.LayerTableId.GetObject(OpenMode.ForRead)
For Each myLayerID As ObjectId In myLayerTable
Dim myLayer As LayerTableRecord = myLayerID.GetObject(OpenMode.ForRead)
If myLayer <> Nothing Then
Dim name As String = myLayer.Name,
isoff As Boolean = myLayer.IsOff,
frozen As Boolean = myLayer.IsFrozen,
locked As Boolean = myLayer.IsLocked,
color As String = myLayer.Color.ColorNameForDisplay,
linetype As String = myLayer.LinetypeObjectId.ToString,
lineweight As String = myLayer.LineWeight.ToString,
transparency As String = myLayer.Transparency.ToString,
plotstyle As String = myLayer.PlotStyleNameId.ToString,
isplottable As Boolean = myLayer.IsPlottable,
vv As Boolean = myLayer.ViewportVisibilityDefault,
desc As String = myLayer.Description
Dim nd As String = "INSERT INTO layers (name, isoff, frozen, locked, color, linetype, lineweight, transparency, isplottable, vv, desc) " & _
"VALUES (" & _
"'" & name & "', " & _
"'" & isoff & "', " & _
"'" & frozen & "', " & _
"'" & locked & "', " & _
"'" & color & "', " & _
"'" & linetype & "', " & _
"'" & lineweight & "', " & _
"'" & transparency & "', " & _
"'" & isplottable & "', " & _
"'" & vv & "', " & _
"'" & desc & "')"
CeCon.DataUpdate(nd)
End If
Next
myTrans.Abort()
End Using
Private CeCon As New SqlCeConnection("Data Source=D:\Documents\Test.sdf;Persist Security Info=False;")
Private CeCmd As SqlCeCommand
Public CeDA As SqlCeDataAdapter
Public CeDT As DataTable
Public Params As New List(Of SqlCeParameter)
Public RecordCount As Integer
Public Exception As String
Public Sub ExecQuery(Query As String)
' Reset query stats
RecordCount = 0
Exception = ""
Try
CeCon.Open()
CeCmd = New SqlCeCommand(Query, CeCon)
Params.ForEach(Sub(p) CeCmd.Parameters.Add(p))
Params.Clear()
CeDT = New DataTable
CeDA = New SqlCeDataAdapter(CeCmd)
RecordCount = CeDA.Fill(CeDT)
Catch ex As Exception
Exception = ex.Message
Finally
If CeCon.State = ConnectionState.Open Then CeCon.Close()
End Try
End Sub
Public Function DataUpdate(Command As String) As Integer
Try
CeCon.Open()
CeCmd = New SqlCeCommand(Command, CeCon)
Dim ChangeCount As Integer = CeCmd.ExecuteNonQuery
CeCon.Close()
Return ChangeCount
Catch ex As Exception
MsgBox(ex.Message)
End Try
If CeCon.State = ConnectionState.Open Then CeCon.Close()
Return 0
End Function
DESC 是这个世界上任何 SQL 数据库中的保留关键字。你需要在那个词周围加上方括号。 [desc] 或更好地将该名称更改为问题较少的名称。
这不是您代码中的唯一问题。如果这些变量中的任何一个包含单引号,则通过字符串连接产生无效的 sql 命令。 (我让您自己发现与 Sql Injection 相关的问题,这些问题可能会简单地破坏您的数据库)
所以你需要一个参数化查询
Dim nd As String = "INSERT INTO layers
(name, isoff, frozen, locked, color, linetype, lineweight,
transparency, isplottable, vv, [desc])
VALUES (@name, @isoff, @frozen, @locked, @color, @linetype, @lineweight,
@transparency, @isplottable, @vv, @desc)"
Dim prms = new List(Of SqlCeParameter)()
prms.Add(new SqlCeParameter("@name", SqlDbType.NVarChar) With {.Value = name})
prms.Add(new SqlCeParameter("@isoff", SqlDbType.Bit) With {.Value = isoff})
prms.Add(new SqlCeParameter("@frozen", SqlDbType.Bit) With {.Value = frozen})
prms.Add(new SqlCeParameter("@locked", SqlDbType.Bit) With {.Value = locked})
prms.Add(new SqlCeParameter("@color", SqlDbType.NVarChar) With {.Value = color})
prms.Add(new SqlCeParameter("@linetype", SqlDbType.NVarChar) With {.Value = linetype})
prms.Add(new SqlCeParameter("@lineweight", SqlDbType.NVarChar) With {.Value = lineweight})
prms.Add(new SqlCeParameter("@transparency", SqlDbType.NVarChar) With {.Value = transparency})
prms.Add(new SqlCeParameter("@isplottable", SqlDbType.Bit) With {.Value = isplottable})
prms.Add(new SqlCeParameter("@vv", SqlDbType.Bit) With {.Value = vv})
prms.Add(new SqlCeParameter("@desc", SqlDbType.NVarChar) With {.Value = desc})
CeCon.DataUpdate(nd, prms)
这意味着您还需要更改 DataUpdate 过程以接收参数值列表
Public Function DataUpdate(Command As String, prms As List(Of SqlCeParameter)) As Integer
Try
CeCon.Open()
CeCmd = New SqlCeCommand(Command, CeCon)
if prms Is Not Nothing Then
CeCmd.Parameters.AddRange(prms.ToArray())
End if
Dim ChangeCount As Integer = CeCmd.ExecuteNonQuery
CeCon.Close()
Return ChangeCount
Catch ex As Exception
MsgBox(ex.Message)
End Try
If CeCon.State = ConnectionState.Open Then CeCon.Close()
Return 0
End Function
我在我的 AutoCAD 插件应用程序中收到此 SQL 错误。 “[令牌行号 =1,令牌行偏移量 = 110,错误令牌 = desc]”。我逐步完成 table 提取 dbText 信息并将其传递到我的数据库中。根据一些帖子,我尝试在 table 名称周围添加 [] 并在值之前添加 @,但两种解决方案均无效。
Using myTrans As Transaction = myDB.TransactionManager.StartTransaction
Dim myLayerTable As LayerTable = myDB.LayerTableId.GetObject(OpenMode.ForRead)
For Each myLayerID As ObjectId In myLayerTable
Dim myLayer As LayerTableRecord = myLayerID.GetObject(OpenMode.ForRead)
If myLayer <> Nothing Then
Dim name As String = myLayer.Name,
isoff As Boolean = myLayer.IsOff,
frozen As Boolean = myLayer.IsFrozen,
locked As Boolean = myLayer.IsLocked,
color As String = myLayer.Color.ColorNameForDisplay,
linetype As String = myLayer.LinetypeObjectId.ToString,
lineweight As String = myLayer.LineWeight.ToString,
transparency As String = myLayer.Transparency.ToString,
plotstyle As String = myLayer.PlotStyleNameId.ToString,
isplottable As Boolean = myLayer.IsPlottable,
vv As Boolean = myLayer.ViewportVisibilityDefault,
desc As String = myLayer.Description
Dim nd As String = "INSERT INTO layers (name, isoff, frozen, locked, color, linetype, lineweight, transparency, isplottable, vv, desc) " & _
"VALUES (" & _
"'" & name & "', " & _
"'" & isoff & "', " & _
"'" & frozen & "', " & _
"'" & locked & "', " & _
"'" & color & "', " & _
"'" & linetype & "', " & _
"'" & lineweight & "', " & _
"'" & transparency & "', " & _
"'" & isplottable & "', " & _
"'" & vv & "', " & _
"'" & desc & "')"
CeCon.DataUpdate(nd)
End If
Next
myTrans.Abort()
End Using
Private CeCon As New SqlCeConnection("Data Source=D:\Documents\Test.sdf;Persist Security Info=False;")
Private CeCmd As SqlCeCommand
Public CeDA As SqlCeDataAdapter
Public CeDT As DataTable
Public Params As New List(Of SqlCeParameter)
Public RecordCount As Integer
Public Exception As String
Public Sub ExecQuery(Query As String)
' Reset query stats
RecordCount = 0
Exception = ""
Try
CeCon.Open()
CeCmd = New SqlCeCommand(Query, CeCon)
Params.ForEach(Sub(p) CeCmd.Parameters.Add(p))
Params.Clear()
CeDT = New DataTable
CeDA = New SqlCeDataAdapter(CeCmd)
RecordCount = CeDA.Fill(CeDT)
Catch ex As Exception
Exception = ex.Message
Finally
If CeCon.State = ConnectionState.Open Then CeCon.Close()
End Try
End Sub
Public Function DataUpdate(Command As String) As Integer
Try
CeCon.Open()
CeCmd = New SqlCeCommand(Command, CeCon)
Dim ChangeCount As Integer = CeCmd.ExecuteNonQuery
CeCon.Close()
Return ChangeCount
Catch ex As Exception
MsgBox(ex.Message)
End Try
If CeCon.State = ConnectionState.Open Then CeCon.Close()
Return 0
End Function
DESC 是这个世界上任何 SQL 数据库中的保留关键字。你需要在那个词周围加上方括号。 [desc] 或更好地将该名称更改为问题较少的名称。
这不是您代码中的唯一问题。如果这些变量中的任何一个包含单引号,则通过字符串连接产生无效的 sql 命令。 (我让您自己发现与 Sql Injection 相关的问题,这些问题可能会简单地破坏您的数据库)
所以你需要一个参数化查询
Dim nd As String = "INSERT INTO layers
(name, isoff, frozen, locked, color, linetype, lineweight,
transparency, isplottable, vv, [desc])
VALUES (@name, @isoff, @frozen, @locked, @color, @linetype, @lineweight,
@transparency, @isplottable, @vv, @desc)"
Dim prms = new List(Of SqlCeParameter)()
prms.Add(new SqlCeParameter("@name", SqlDbType.NVarChar) With {.Value = name})
prms.Add(new SqlCeParameter("@isoff", SqlDbType.Bit) With {.Value = isoff})
prms.Add(new SqlCeParameter("@frozen", SqlDbType.Bit) With {.Value = frozen})
prms.Add(new SqlCeParameter("@locked", SqlDbType.Bit) With {.Value = locked})
prms.Add(new SqlCeParameter("@color", SqlDbType.NVarChar) With {.Value = color})
prms.Add(new SqlCeParameter("@linetype", SqlDbType.NVarChar) With {.Value = linetype})
prms.Add(new SqlCeParameter("@lineweight", SqlDbType.NVarChar) With {.Value = lineweight})
prms.Add(new SqlCeParameter("@transparency", SqlDbType.NVarChar) With {.Value = transparency})
prms.Add(new SqlCeParameter("@isplottable", SqlDbType.Bit) With {.Value = isplottable})
prms.Add(new SqlCeParameter("@vv", SqlDbType.Bit) With {.Value = vv})
prms.Add(new SqlCeParameter("@desc", SqlDbType.NVarChar) With {.Value = desc})
CeCon.DataUpdate(nd, prms)
这意味着您还需要更改 DataUpdate 过程以接收参数值列表
Public Function DataUpdate(Command As String, prms As List(Of SqlCeParameter)) As Integer
Try
CeCon.Open()
CeCmd = New SqlCeCommand(Command, CeCon)
if prms Is Not Nothing Then
CeCmd.Parameters.AddRange(prms.ToArray())
End if
Dim ChangeCount As Integer = CeCmd.ExecuteNonQuery
CeCon.Close()
Return ChangeCount
Catch ex As Exception
MsgBox(ex.Message)
End Try
If CeCon.State = ConnectionState.Open Then CeCon.Close()
Return 0
End Function