对于一些学校工作,我被授予源代码以更新访问数据库中的数据。但是,当试图使用它时,我几乎不知道正确的语法是什么。VB.net SQL语法
这里的源代码,功能更新:
Sub UpdateData(ByVal dataToUpdate As String, ByVal updateCriteria As String)
'Assemble SQL query to update the specified record(s) with the specified value(s)
Dim sql As String = "UPDATE " & DBtable & " SET " & dataToUpdate & " WHERE " _
& updateCriteria
'Create an instance of data adapter (if not created already)
myDataAdapter = New OleDb.OleDbDataAdapter()
'Add command to update data (using data adaptor) based on SQL query above.
myDataAdapter.UpdateCommand = New OleDb.OleDbCommand(sql, myCon)
'Execute command to update data in the relevant database record(s)
myDataAdapter.UpdateCommand.ExecuteNonQuery()
MsgBox(sql)
End Sub
而这正是我试图用它来执行它,但我不能得到正确的语法:
UpdateData("first_name = '" & Firstnamebox.Text & "' AND last_name = '" _
& Lastnamebox.Text & "' AND middle_name = '" & Middlenamebox.Text _
& "' AND age = '" & Agebox.Text & "' AND AdditionalInfo = '" & AddInfoBox.Text _
& "' AND User_level = '" & UserLevelBox.Text & "' AND username =' " _
& Usernamebox.Text & "' AND [password] = '" & Passwordbox.Text & "'",
"ID = '" & id & "'")
任何想法的我要去哪里错了?
感谢,
您应该使用*预处理语句*修补查询这样在一起 –
你_really_应该看到我的答案在这个岗位,而不是:http://stackoverflow.com/a/22130028/1842065 –
我不能强调使用参数的重要性。它简化了分配值并防止注入攻击。例如,您在Age字段周围放置单引号,这可能是数字,并且会导致类型不匹配错误。 –