Incorrect syntax near '4'
I have an INSERT code where the variable s = 4. Help would be pretty appreciated.
con.Open()
Dim cmd As New SqlCommand(\"INSERT INTO Employee VALUES
-
Misssing closing bracket
)con.Open() Dim cmd As New SqlCommand("INSERT INTO Employee VALUES('" & txtfname.Text & "','" & txtmi.Text & "','" & txtlname.Text & "','" & txtssn.Text & "','" & txtbdate.Text & "','" & txtaddress.Text & "','" & cmbsex.Text.ToUpper & "','" & txtsalary.Text & "','" & DBNull.Value & "','" & s & "')", con)讨论(0) -
The missing closing parens is one of the lesser problems in what you have:
- It is hard to read and maintain
- It is wide open to SQL injection attacks
- It assumes the code knows the order the DB layer will serve up the columns
- Doesn't appear disposables are being disposed
- Unwanted data type conversion seem to be going on
A better way to create the SQL for a long query which addresses 1, 2 and 3 is something like this:
' an XML literal Dim SQL = <sql> INSERT INTO Employee (FirstName, LastName, SocSecNum, BirthDate, Address, Gender ...) VALUES (@firstN, @lastN, @SSN ... ) </sql> Using cmd As New SqlCommand(sql.Value, con) ... cmd.Parameters.AddWithValue("@firstN", txtfname.Text) cmd.Parameters.AddWithValue("@lastN", txtlname.Text) ... cmd.ExecuteNonQuery() ... End Using ' disposes of the object when doneEven though
INSERT INTO tablename VALUES ...is legal syntax, it assumes that your db will have the columns in the some order and that it will not change as you alter the db. The above method explicitly maps parameters to columns based on the order of the columns and parameter placeholders. The names ("@firstN") make it easy for you to see which value you are working with.Using an XML literal will allow you to layout the text however it is most readable to you, but even a string literal can be easier to read and maintain than concatenating:
Dim strSQL As String = "INSERT INTO Employee (FirstName, LastName, SocSecNum, " _ & "BirthDate, Address, Gender ..." _ & " VALUES (@p1, @p2...)"Using either method, the missing parens in the OP would have been much more obvious and less likely to have happened at all. Next, some columns appear to be numeric such as Salary and BirthDate, so SQL such as this may be wrong:
... & "','" & txtbdate.Text & "','" & txtsalary.Text & "','" ...Placing ticks around the value assures that you are passing a String to the dbLayer. If Salary is a numeric column and DateOfBirth is a date column -- as they should be -- then you may well get a data type mismatch error. Parameters make it easier to pass the correct data type because you can see what you are working with:
cmd.Parameters.AddWithValue("@DOB", CDate(txtbdate.Text)) cmd.Parameters.AddWithValue("@Salary", CDec(txtsalary.Text))(Note, when using OleDB, parameters are simply ordinal so be sure to
AddWithValuein the same order as specified in the SQL). Passing the wrong datatype can cause the dblayer to make some assumptions, to avoid this you can do it the long way:cmd.Parameters.Add("@firstN", SqlDbType.VarChar, 32) ' 32 = column def cmd.Parameters("@firstN").Value = txtfname.TextOne more issue is that the code does not seem to perform any data validation. What if they type "I like pie" as the Salary? Or enter "02/31/1986" (mm/dd) for BirthDate? Your code will crash deep into this procedure. So data validation using things like
DateTime.TryParseandInteger.TryParseon the user input should have (and may have) taken place much further upstream.讨论(0) -
You missed the closing parenthesis. Change it like
Dim cmd As New SqlCommand("INSERT INTO Employee VALUES('" & txtfname.Text & "','" & txtmi.Text & "','" & txtlname.Text & "','" & txtssn.Text & "','" & txtbdate.Text & "','" & txtaddress.Text & "','" & cmbsex.Text.ToUpper & "','" & txtsalary.Text & "','" & DBNull.Value & "','" & s & "')", con)讨论(0) -
You forgot the closing )
...l.Value & "','" & s & "')", con)
讨论(0)
加载中...
- 热议问题