插入语句中的语法错误

Question

我是数据库连接的新手，当我遇到cmdInsert.ExecuteNonQuery()行的问题时，它说INSERT INTO语句存在语法错误，我无法弄清楚问题所在：

Imports System.Data 
Imports System.Data.OleDb 
Public Class txtNotes 
    Dim cnnOLEDB As New OleDbConnection 
    Dim cmdInsert As New OleDbCommand 

    Dim strConnectionString = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & System.Environment.CurrentDirectory & "\CourseworkDB" 
    'the name of the database goes in here' 

    Private Sub Form1_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load 

     cnnOLEDB.ConnectionString = strConnectionString 
     cnnOLEDB.Open() 

    End Sub 

    Private Sub AddFirstName_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles AddFirstName.Click 
     If txtFirstName.Text <> "" Then 

      MsgBox(cmdInsert.CommandText) 
      cmdInsert.CommandText = "INSERT INTO Customer (First Name) VALUES (" & txtFirstName.Text & ", '" 
      cmdInsert.CommandType = CommandType.Text 
      cmdInsert.Connection = cnnOLEDB 
      cmdInsert.ExecuteNonQuery() 
     Else 
      MsgBox("Enter the required values:" & vbNewLine & "1. First Name") 
     End If 
     cmdInsert.Dispose() 
    End Sub 
End Class 

Answer 1

试试这个

"INSERT INTO Customer (First Name) VALUES ('" & txtFirstName.Text & "')"

Answer 2

警告：Bobby在看着你。

cmdInsert.CommandText = _ 
"INSERT INTO Customer (First Name) VALUES ('" & txtFirstName.Text & "')" 

Answer 3

I强烈建议您不要进入构建SQL字符串的例程，通过将字符串串联在一起。你正在向SQL注入开放，特别是如果这是基于Web的。您应该在字符串中使用占位符参数构建命令，然后将这些参数添加到命令对象。添加参数相同的顺序，因为它们将出现在命令如

cmdInsert.CommandText = "INSERT INTO Customer (FirstName, LastName) VALUES (@parmFirstName, @parmLastName)" 
cmdInsert.Parameters.AddWithValue("@parmFirstName", txtFirstName.Text); 
cmdInsert.Parameters.AddWithValue("@parmLastName", txtLastName.Text); 

如果你的字段名称已嵌入空格，不同的数据库 不同，有些需要单一反引号（关键左1）在场地周围。如'名字'。有些使用方括号， 如[名字]。