ขออนุญาติสอบถามเรื่อง Insert into เครื่องหมาย ' single quote ลง ฐานข้อมูล SQL (VB)
ใช้การ Replace ตัว ' เป็น '' (2 ตัว) ครับ เช่นCode (VB.NET) Public Function SQLSafe(ByVal str As String)
Return str.Replace("'","''")
End Function
Date :
2017-02-07 11:27:00By :
mr.win
แต่แนะนำให้ใช้แบบ Parameter Query แทนครับCode (C#) //*** FOR INSERT ***//
strSQL = "INSERT INTO customer (CustomerID,Name,Email,CountryCode,Budget,Used) " +
"VALUES (@sCustomerID,@sName,@sEmail,@sCountryCode,@sBudget,@sUsed)";
objCmd = new System.Data.SqlClient.SqlCommand(strSQL,objConn);
//*** Sample 1 ***//
/*
objCmd.Parameters.AddWithValue("@sCustomerID","C005");
objCmd.Parameters.AddWithValue("@sName","Weerachai Nukitram");
objCmd.Parameters.AddWithValue("@sEmail","[email protected] ");
objCmd.Parameters.AddWithValue("@sCountryCode","TH");
objCmd.Parameters.AddWithValue("@sBudget","2000000");
objCmd.Parameters.AddWithValue("@sUsed","1000000");
*/
//*** Sample 2 ***//
objCmd.Parameters.Add(new SqlParameter("@sCustomerID","C005"));
objCmd.Parameters.Add(new SqlParameter("@sName","Weerachai Nukitram"));
objCmd.Parameters.Add(new SqlParameter("@sEmail","[email protected] "));
objCmd.Parameters.Add(new SqlParameter("@sCountryCode","TH"));
objCmd.Parameters.Add(new SqlParameter("@sBudget","2000000"));
objCmd.Parameters.Add(new SqlParameter("@sUsed","1000000"));
objCmd.ExecuteNonQuery();
(C#) ASP.NET System.Data.SqlClient - Parameter Query (SqlParameter)
Date :
2017-02-07 11:28:51By :
mr.win
ใช้แบบ Parameters จะดีและปลอดภัยกว่าเยอะเลยนะครับ
Date :
2017-02-07 13:43:38By :
mr.win
ผมใช้แบบ Replace '' เอาครับ
Date :
2017-02-08 07:49:25By :
fonfire
เหมือนการจัดการ database จะผลักให้มีการจัดการในรูปของ list ให้มากขึ้นรึป่าวครับCode (C#) this._adapter.InsertCommand = new global::System.Data.SqlClient.SqlCommand();
this._adapter.InsertCommand.Connection = this.Connection;
this._adapter.InsertCommand.CommandText = "INSERT INTO [dbo].[PostCode_Amphur] ([Post_Amphur], [Post_Amphur_Eng]) VALUES (@P" +
"ost_Amphur, @Post_Amphur_Eng);\r\nSELECT Post_Amphur_ID, Post_Amphur, Post_Amphur_" +
"Eng FROM PostCode_Amphur WHERE (Post_Amphur_ID = SCOPE_IDENTITY())";
this._adapter.InsertCommand.CommandType = global::System.Data.CommandType.Text;
this._adapter.InsertCommand.Parameters.Add(new global::System.Data.SqlClient.SqlParameter("@Post_Amphur", global::System.Data.SqlDbType.VarChar, 0, global::System.Data.ParameterDirection.Input, 0, 0, "Post_Amphur", global::System.Data.DataRowVersion.Current, false, null, "", "", ""));
this._adapter.InsertCommand.Parameters.Add(new global::System.Data.SqlClient.SqlParameter("@Post_Amphur_Eng", global::System.Data.SqlDbType.VarChar, 0, global::System.Data.ParameterDirection.Input, 0, 0, "Post_Amphur_Eng", global::System.Data.DataRowVersion.Current, false, null, "", "", ""));
Code (C#) private int UpdateUpdatedRows(DATA_ALSDataSet dataSet, global::System.Collections.Generic.List<global::System.Data.DataRow> allChangedRows, global::System.Collections.Generic.List<global::System.Data.DataRow> allAddedRows) {
int result = 0;
if ((this._postCode_AmphurTableAdapter != null)) {
global::System.Data.DataRow[] updatedRows = dataSet.PostCode_Amphur.Select(null, null, global::System.Data.DataViewRowState.ModifiedCurrent);
updatedRows = this.GetRealUpdatedRows(updatedRows, allAddedRows);
if (((updatedRows != null)
&& (0 < updatedRows.Length))) {
result = (result + this._postCode_AmphurTableAdapter.Update(updatedRows));
allChangedRows.AddRange(updatedRows);
}
}
return result;
}
Date :
2017-02-08 08:47:57By :
lamaka.tor
กรณีที่เป็น DataType จะต้องระบุเข้าไปด้วยครับ ตัวอย่างCode (VB.NET) strConnString = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=|DataDirectory|\database.mdb"
objConn.ConnectionString = strConnString
objConn.Open()
'*** Insert to orders ***'
strSQL = "INSERT INTO orders (OrderDate,Name,Address,Tel,Email) " & _
" VALUES " & _
" (@sOrderDate,@sName,@sAddress,@sTel,@sEmail)"
Dim objCmd As New OleDbCommand(strSQL, objConn)
objCmd.Parameters.Add("@sOrderDate", OleDbType.Date).Value = Now()
objCmd.Parameters.Add("@sName", OleDbType.VarChar).Value = Me.txtName.Text
objCmd.Parameters.Add("@sAddress", OleDbType.VarChar).Value = Me.txtAddress.Text
objCmd.Parameters.Add("@sTel", OleDbType.VarChar).Value = Me.txtTel.Text
objCmd.Parameters.Add("@sEmail", OleDbType.VarChar).Value = Me.txtEmail.Text
objCmd.ExecuteNonQuery()
'*** Select OrderID ***'
strSQL = "SELECT Max(OrderID) As sOrderID FROM orders "
dtAdapter = New OleDbDataAdapter(strSQL.ToString(), objConn)
dtAdapter.Fill(dt1)
If dt1.Rows.Count > 0 Then
strOrderID = dt1.Rows(0)("sOrderID")
End If
'*** Insert to orders_detail ***'
dt2 = DirectCast(Session("myCart"), DataTable)
For i = 0 To dt2.Rows.Count - 1
strSQL = "INSERT INTO orders_detail (OrderID,ProductID,Qty) " & _
" VALUES " & _
" ('" & strOrderID & "','" & dt2.Rows(i)("ProductID") & "','" & dt2.Rows(i)("Qty") & "')"
With objCmd
.Connection = objConn
.CommandText = strSQL
.CommandType = CommandType.Text
.ExecuteNonQuery()
End With
Next
objConn.Close()
objConn = Nothing
Date :
2017-02-08 10:22:33By :
mr.win
Server 05
Load balance : Server 05
