问题
For some reason when I try to add data to my database I keep getting:
A first chance exception of type 'System.Data.OleDb.OleDbException' occurred in System.Data.dll
Additional information: Missing semicolon (;) at end of SQL statement.
Here is my code. Now I have installed the database engine, and I have changed the cpu to x86.
Private Sub SaveButton_Click(sender As Object, e As EventArgs) Handles SaveButton.Click
If DirectCast(AdminCheckBox, CheckBox).Checked = True Then
Dim result1 As Integer
Dim cmd As New OleDb.OleDbCommand
cnn = New OleDb.OleDbConnection
cnn.ConnectionString = "Provider=Microsoft.ACE.OLEDB.12.0; Data Source=" & "C:\Users\daNo\Documents\Visual Studio 2013\Projects\WindowsApplication1\WindowsApplication1\bin\chem.accdb;"
If Not cnn.State = ConnectionState.Open Then
cnn.Open()
End If
result1 = MsgBox("Are you sure you want to add this user a admin?", MsgBoxStyle.YesNo, "Add New User")
If result1 = vbYes Then
cmd.Connection = cnn
cmd.CommandText = "INSERT INTO Users(UserName, [password], Email) " & _
"VALUES(?,?,?)'"
cmd.Parameters.AddWithValue("@p1", Me.UserNameTextBox.Text)
cmd.Parameters.AddWithValue("@p2", Me.PasswordTextBox2.Text)
cmd.Parameters.AddWithValue("@p3", Me.EmailTextBox.Text)
cmd.ExecuteNonQuery()
MsgBox("Account has been created!", MsgBoxStyle.OkOnly, "Add New User")
Dim ACCSETTINGS As New ACCSETTINGS
ACCSETTINGS.Show()
Me.Hide()
Me.Close()
ElseIf result1 = vbNo Then
Dim NEWUSER As New NewUser
NEWUSER.Show()
Me.Hide()
End If
End If
回答1:
Username, Password and EMail are text fields, so you need to pass the values for them enclosed in single quotes. Your command misses these quotes around the values in the string concatenation that build the command. Something like this
"INSERT INTO Users(UserName, [password], Email) VALUES('" & Me.UserNameTextBox.Text & "'....
but this is a really bad way to construct an sql command. You should ALWAYS use a parameterized query
Dim result1 = MsgBox("Are you sure you want to add this user a admin?", MsgBoxStyle.YesNo, "Add New User")
If result1 = vbYes Then
Using cnn = New OleDb.OleDbConnection("Provider=Microsoft.ACE.OLEDB.12.0;.....")
Using cmd = new OleDb.OleDbCommand("INSERT INTO Users(UserName, [password], Email) " & _
"VALUES(?,?,?)"
cnn.Open()
cmd.Parameters.AddWithValue("@p1",Me.UserNameTextBox.Text)
cmd.Parameters.AddWithValue("@p2",Me.PasswordTextBox2.Text)
cmd.Parameters.AddWithValue("@p3",Me.EmailTextBox.Text)
Dim rowAdded = cmd.ExecuteNonQuery()
if rowAdded > 0 Then
MessageBox.Show("Account has been created!")
....
Else
MessageBox.Show("Problems!")
End If
End If
Parameterized query removes the need to construct complex query text by concatenating pieces of input values from your user, adding the required quotes for strings (eventually parsing for embedded quotes), checking for correct decimal separator when needed, passing dates in correct format, but the most important thing, a parameterized query removes the possibility of Sql Injection where your malicious user prepare special formatted string that could wreak havoc the database.
As a side note. Storing passwords in clear text is really a bad practice from a security standpoint. Depending on the context of your application this is a thing to not downplay. If someone could grab a copy of your database file he could read every user password stored.
EDIT
Checking again the string used in the connection string to set the database name it appears really wrong.
Here, splitted for readability
"...;Data Source=" & Application.StartupPath & "C:\Users\daNo\Documents\" & _
"Visual Studio 2013\Projects\WindowsApplication1\WindowsApplication1\bin\chem.accdb;..."
This results in a wrong path to the database. If you have a fixed location where you store the accdb file then you could remove that Application.StartupPath
来源:https://stackoverflow.com/questions/26227946/cant-add-data-to-access-database