0

我在 VB .NET 应用程序中有以下代码。我正在尝试使用带有 SQL 数据的数据更新 Oracle 表中的列。当我运行应用程序时,我得到(ORA-00933:SQL 命令未正确结束)'or_cmd_3.ExecuteNonQuery()' 行。

如果我去掉代码并在 TOAD 或 SQL Developer 中运行它,用一些虚假数据替换临时变量,它会更新得很好。我错过了什么?

提前谢谢了。

  ElseIf (oracle_summary_temp = ueio_tmpALM_Summary) And (oracle_request_ID_temp = ueio_tmpALM_ID) And added_to_alm = "1" AndAlso ({"Deferred", "Rejected", "Closed"}.Contains(ueio_tmpALM_Status)) Then
Dim update_oracle As String = Nothing

update_oracle =
"update SCHEMA.TABLE set ISSUE_ADDED_TO_ALM = '2'," & _
"ISSUE_STATUS = '" & ueio_tmpALM_Status & "'," & _
"ISSUE_REJECTED_REASON = '" & ueio_tmpALM_Rejected & "'," & _
"ISSUE_PHASE = '" & ueio_tmpALM_Current_Phase & "'," & _
"ISSUE_PRIORITY = '" & ueio_tmpALM_Priority & "'," & _
"ISSUE_SYSTEM_IMPACTED = '" & ueio_tmpALM_System_Impacted & "'," & _
"ISSUE_DQ_ANALYST = '" & ueio_tmpALM_DQ_Analyst & "'," & _
"ISSUE_COMMENTS = '" & ueio_tmpALM_Comments & "'," & _
"ISSUE_OWNER_DEPARTMENT = '" & ueio_tmpALM_Owner_Department & "'," & _
"ALM_ISSUE_ID = '" & ueio_tmpALM_ID & "'," & _
"DQ_Team = '" & ueio_tmpALM_DQ_Team & "'" & _
"where ISSUE_SUMMARY = '" & ueio_tmpALM_Summary & "'"

Dim or_cmd= New NetOracle.OracleCommand(update_oracle, OracleConn)
or_cmd.ExecuteNonQuery()
4

1 回答 1

2

构建连接输入字符串的查询文本始终是一种不好的做法。
一个原因是您需要删除破坏查询的字符,例如单引号或数据库查询语法定义的其他字符。但最重要的原因是Sql Injection Attacks的可能性。也就是说,您的错误的可能原因是 where 子句之前缺少空格。您应该以这种方式使用参数替换所有文本:

update_oracle = "update SCHEMA.TABLE set " & _
       "ISSUE_ADDED_TO_ALM = '2'," & _ 
       "ISSUE_STATUS = :tmpALMStatus, " & _
       "ISSUE_REJECTED_REASON = :tmpALMRejected," & _ 
       "ISSUE_PHASE = :tmpALMCurrent_Phase, " & _
       "ISSUE_PRIORITY = :tmpALMPriority," & _
       "ISSUE_SYSTEM_IMPACTED = :tmpALMSystemImpacted," & _ 
       "ISSUE_DQ_ANALYST = :tmpALMDQAnalyst, " & _ 
       "ISSUE_COMMENTS = :tmpALMComments," & _
       "ISSUE_OWNER_DEPARTMENT = :tmpALMOwnerDepartment, " & _ 
       "ALM_ISSUE_ID = :tmpALM_ID," & _ 
       "DQ_Team = :tmpALM_DQ_Team" & _
       " where ISSUE_SUMMARY = :tmpALM_Summary" 

   Dim or_cmd= New NetOracle.OracleCommand(update_oracle, OracleConn)   
   or_cmd.Parameters.AddWithValue(":tmpALMStatus",ueio_tmpALM_Status)
   or_cmd.Parameters.AddWithValue(":tmpALMRejected" ,ueio_tmpALM_Rejected )
   or_cmd.Parameters.AddWithValue(":tmpALMCurrent_Phase",ueio_tmpALM_Current_Phase)
   or_cmd.Parameters.AddWithValue(":tmpALMPriority",ueio_tmpALM_Priority)
   or_cmd.Parameters.AddWithValue(":tmpALMSystemImpacted" ,ueio_tmpALM_System_Impacted)
   or_cmd.Parameters.AddWithValue(":tmpALMDQAnalyst" ,ueio_tmpALM_DQ_Analyst)
   or_cmd.Parameters.AddWithValue(":tmpALMComments",ueio_tmpALM_Comments)
   or_cmd.Parameters.AddWithValue(":tmpALMOwnerDepartment",ueio_tmpALM_Owner_Department)
   or_cmd.Parameters.AddWithValue(":tmpALM_ID",ueio_tmpALM_ID)
   or_cmd.Parameters.AddWithValue(":tmpALM_DQ_Team",ueio_tmpALM_DQ_Team)
   or_cmd.Parameters.AddWithValue(":tmpALM_Summary",ueio_tmpALM_Summary)
   or_cmd.ExecuteNonQuery()
于 2012-05-07T16:38:46.510 回答