다음 예제를 사용하여 명확히하려고합니다. 여기에 두 개의 드롭 다운 목록 (ddlInsertEmployee + ddlInsertCustomer)이 있어야합니다. 둘 다 테이블 [Employee.EmployeeID] 및 [Customer.CustomerID]에서 데이터를 가져 와서 [Task] 테이블에 삽입해야합니다.드롭 다운 목록에 대한 SQL 문자열 조정
문제는 Employee.Fullname 및 Customer.Fullname의 데이터를 resp에 삽입한다는 것입니다. Employee.EmployeeID 및 Customer.CustomerID. 드롭 다운 목록을 텍스트 상자로 변경하고 수동으로 ID를 삽입하면 매력처럼 작동하지만 이것은 효율적이지 않으며 전체 Fullname을 볼 수 있기를 원합니다.
이 작업을 올바르게 수행하기 위해 Sqlstring을 변경하는 방법을 모르겠다. 나는 이것이 어떤 의미가되기를 바랍니다. 어떤 도움을 많이 주셔서 감사합니다!
Imports System
Imports System.Collections.Generic
Imports System.Data
Imports System.Data.OleDb
Imports System.Data.SqlClient
Imports System.Web
Imports System.Web.UI
Imports System.Web.UI.WebControls
Imports System.Web.UI.WebControls.DropDownList
Protected Sub btnSubmit_Click(sender As Object, e As System.EventArgs) Handles btnSubmit.Click
Dim MyConn As OleDbConnection
Dim cmd As OleDbCommand
Dim Sqlstring, TaskDesc, TaskSolved, Employee, Customer, DateIn, DateOut, TaskHours As String
TaskDesc = txtTaskDesc.Text
TaskSolved = txtTaskSolved.Text
Employee = ddlInsertEmployee.Text
Customer = ddlInsertCustomer.Text
DateIn = txtDateReg.Text
DateOut = txtDateSolved.Text
TaskHours = txtHours.Text
MyConn = New OleDbConnection("Provider=Microsoft.ACE.OLEDB.12.0;Data Source=|DataDirectory|\DATABASE.accdb;")
MyConn.Open()
Sqlstring = "INSERT INTO Task (TaskDesc, TaskSolved, EmployeeID, CustomerID, DateIn, DateOut, TaskHours) VALUES ('" + TaskDesc + "', '" + TaskSolved + "', '" + Employee + "', '" + Customer + "', '" + DateIn + "', '" + DateOut + "', '" + TaskHours + "')"
cmd = New OleDbCommand(Sqlstring, MyConn)
cmd.ExecuteNonQuery()
MyConn.Close()
lblMessage.Text = "Task Added Successfully !!!"
End Sub
End Class
--------
Employee
<asp:DropDownList ID="ddlInsertEmployee" runat="server" AutoPostBack="True"
DataSourceID="SqlDataSource5" DataTextField="EmployeeFullName"
DataValueField="EmployeeFullName">
</asp:DropDownList>
<asp:SqlDataSource ID="SqlDataSource5" runat="server"
ConnectionString="<%$ ConnectionStrings:conntoDB %>"
ProviderName="<%$ ConnectionStrings:conntoDB.ProviderName %>"
SelectCommand="SELECT EmployeeFullName, EmployeeID FROM Employee">
</asp:SqlDataSource>
<br />
<br />
Customer <asp:DropDownList ID="ddlInsertCustomer" runat="server"
AutoPostBack="True" DataSourceID="SqlDataSource6"
DataTextField="CustomerFullName" DataValueField="CustomerFullName">
</asp:DropDownList>
<asp:SqlDataSource ID="SqlDataSource6" runat="server"
ConnectionString="<%$ ConnectionStrings:conntoDB %>"
ProviderName="<%$ ConnectionStrings:conntoDB.ProviderName %>"
SelectCommand="SELECT CustomerID, CustomerFullName FROM Customer">
</asp:SqlDataSource>
나는 오류가 나타납니다 :
Exception Details: System.Data.OleDb.OleDbException: Data type mismatch in criteria expression.
Source Error:
Line 60: Sqlstring = "INSERT INTO Task (TaskDesc, TaskSolved, EmployeeID, CustomerID, DateIn, DateOut, TaskHours) VALUES ('" + TaskDesc + "', '" + TaskSolved + "', '" + Employee + "', '" + Customer + "', '" + DateIn + "', '" + DateOut + "', '" + TaskHours + "')"
Line 61: cmd = New OleDbCommand(Sqlstring, MyConn)
[B]Line 62: cmd.ExecuteNonQuery() Line 63: MyConn.Close()[/B]
Line 64: lblMessage.Text = "Task Added Successfully !!!"
Source File: C:\Projekt\NewTask.aspx.vb Line: 62
[SQL Injection] (http://ko.wikipedia.org/wiki/SQL_injection)에 대한 메모입니다. SQL 쿼리를 만들기 위해 문자열을 연결해서는 안됩니다. 매개 변수화 된 쿼리를 사용하십시오. – jadarnel27