I am new in vb.net i have sqlcommand string as shown
Dim query As [String] = "insert into tblDefProducts( Creation_Date, Product_code,line_item_id , item_name , category_id , subcategory_id , Gender ,LifeType, supplier_id , Acquire_type , Purchase_type , Manufacture_type , Pur_Con_Unit, Pur_Con_factor ,Tax_At_Retail_Price, Sale_Tax ,Average_cost ,Product_group_id,status,Technical_details )
values( " & DateTimePicker2.Value.ToString() & ",'" & PCode_TXT.Text & "','" & LineItem_TXT.Text & "' , '" & PName_TXT.Text & "','" & CategoryM_CMB.Text & "','" & CategoryS_CMB.Text & "','" & ProductGender_TXT.Text & "', '" & ProductLifeT_CMD.Text & "','" & ProductSupplier_CMB.Text & "','" & PAquireType_CMB.Text & "', '" & PPurchaseType_CMB.Text & "','" & PManufacturing_CMB.Text & "','" & PConnUnit_CMB.Text & "' ," & Convert.ToInt32(PConFactory_TXT.Text) & "," & Convert.ToInt32(PSalesTaxPurchase_TXT.Text) & "," & Convert.ToInt32(PSalesTaxSales_TXT.Text) & "," & Convert.ToInt32(PPRICE_TXT.Text) & " , " & PTypeA & " , " & pActive & ",'" & PTechnicalDetail_TXT.Text & "')"
Input string is not in a correct format second insertion of datetime value from datetimepicker1 to database column creation_date have datatype DateTime but datetimepicker gives value #1/1/1900#also have to parse using sql
使用字符串替换来传递参数并不是一个好主意,原因有很多:它容易受到SQL Injection攻击的影响,更容易出错并且更难以阅读和理解.保持.
Using string contaternation to pass parameters is not a good idea for a number of reasons: Its vulnerable to SQL Injection attacks, more prone to errors and harder to read and maintain.
In you question the problem is likly due to missing '' around some of your values.
想象一下,如果您只希望用户能够更新表中的某些字段,但是用户在文本框中输入了诸如"Hello",ReadOnlyField ='World之类的内容,然后将其合并到查询中.ReadOnlyField世界将被更新.使用参数可以避免这种情况.
Imagine if you only wanted the user to be able to update certain fields in your table but the user typed something like "Hello', ReadOnlyField = 'World" into a text box which you then concaternate into your query. The ReadOnlyField world be updated. With parameters this would be prevented.
If you use parameters instead you don't need to wory about '' as parameters are typed variables and not strings.
您也不需要将所有内容都转换为字符串,因为大多数.NET primitves具有SQL等效项.
You also don't need to convert everything to a string as most .NET primitves has SQL equivalents.
有关VB.Net SqlCommand.Parameters的示例和文档,请参见此处
See here for examples and documentation on VB.Net SqlCommand.Parameters