If 语句不允许插入语句工作，因为单元格为空

Posted 2023-02-15

【中文标题】If 语句不允许插入语句工作，因为单元格为空

【英文标题】：If statement to not allow insert statement to work because a cell is null

【发布时间】：2021-12-16 00:12:48

【问题描述】：

我希望代码不允许完整按钮工作，因为“StartTime”列为空。

附上以下代码：

Imports System.Data.SqlClient
Imports System.Data
Imports System.IO
Public Class Etask
Dim con As SqlConnection
                Dim cmd As SqlCommand
                 Private Sub Etask_Load(sender As Object, e As EventArgs) Handles MyBase.Load

    Labelname.Text = login.mname
    Dim str As String = "Data Source=ICECANDY;Initial Catalog=RestaurantDatabase;integrated security=true"
    Dim con As New SqlConnection(str)
    Dim com As String = "SELECT TaskID, Name, TaskAssigned, StartTime, FinishTime, Status
FROM     dbo.Tasks
WHERE  Name = '" & Labelname.Text & "'"
    Dim Adpt As New SqlDataAdapter(com, con)
    Dim ds As New DataSet()
    Adpt.Fill(ds, "PosTable")
    DataGridView1.DataSource = ds.Tables(0)

End Sub

Private Sub Etask_Resize(sender As Object, e As EventArgs) Handles Me.Resize
    Panel1.Left = (Me.Width - Panel1.Width) / 2
End Sub
Private Sub Button2_Click(sender As Object, e As EventArgs) Handles Button2.Click
    refreshDGV()
End Sub

Public Sub refreshDGV()
    Labelname.Text = login.mname
    Dim str As String = "Data Source=ICECANDY;Initial Catalog=RestaurantDatabase;integrated security=true"
    Dim con As New SqlConnection(str)
    Dim com As String = "SELECT TaskID, Name, TaskAssigned, StartTime, FinishTime, Status
 FROM     dbo.Tasks
 WHERE  Name = '" & Labelname.Text & "'"
    Dim Adpt As New SqlDataAdapter(com, con)
    Dim ds As New DataSet()
    Adpt.Fill(ds, "PosTable")
    DataGridView1.DataSource = ds.Tables(0)
End Sub

'complete button
Private Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click
    Dim con As New SqlConnection("Data Source=ICECANDY;Initial Catalog=RestaurantDatabase;integrated security=true")
    Dim query As String = "update Tasks set FinishTime=@FinishTime,Status=@Status where TaskID=@id"

    con.Open()
    cmd = New SqlCommand(query, con)
    cmd.Parameters.Add("@id", SqlDbType.VarChar).Value = LabelID.Text
    cmd.Parameters.Add("@FinishTime", SqlDbType.VarChar).Value = Label1.Text
    cmd.Parameters.Add("@Status", SqlDbType.VarChar).Value = comboboxstatus.Text
    cmd.ExecuteNonQuery()
    con.Close()
    MsgBox("Successfully updated!")
    refreshDGV()
End Sub

Private Sub FillByToolStripButton_Click(sender As Object, e As EventArgs) 
    Try
        Me.TasksTableAdapter.FillBy(Me.RestaurantDatabaseDataSet2.Tasks)
    Catch ex As System.Exception
        System.Windows.Forms.MessageBox.Show(ex.Message)
    End Try

End Sub

Private Sub DataGridView1_CellClick(sender As Object, e As DataGridViewCellEventArgs) Handles DataGridView1.CellClick
    Dim i As Integer
    i = DataGridView1.CurrentRow.Index
    Me.LabelID.Text = DataGridView1.Item(0, i).Value
End Sub

Private Sub btnstart_Click(sender As Object, e As EventArgs) Handles btnstart.Click
    Dim con As New SqlConnection("Data Source=ICECANDY;Initial Catalog=RestaurantDatabase;integrated security=true")
    Dim query As String = "update Tasks set StartTime=@StartTime,Status=@Status where TaskID=@id"

    con.Open()
    cmd = New SqlCommand(query, con)
    cmd.Parameters.Add("@id", SqlDbType.VarChar).Value = LabelID.Text
    cmd.Parameters.Add("@StartTime", SqlDbType.VarChar).Value = Label1.Text
    cmd.Parameters.Add("@Status", SqlDbType.VarChar).Value = "Working on it!"
    cmd.ExecuteNonQuery()
    con.Close()
    MsgBox("Successfully started!")
    refreshDGV()
End Sub

Private Sub Timer1_Tick(sender As Object, e As EventArgs) Handles Timer1.Tick
    Label1.Text = Date.Now.ToString("dd MMM yyyy  hh:mm:ss")
End Sub


    End Class

这是应用程序的样子：

我希望代码检查 StartTime 列中的空数据。如果它为空，那么完成按钮将不起作用。 Button1 是完成任务的按钮。

【问题讨论】：

警告：您的代码很危险，很容易受到注入攻击。 总是参数化你的陈述。

如何参数化上述语句？

How do I create a parameterized SQL query? Why Should I?

谢谢你。我一定会改的

【参考方案1】：

ExecuteNonQuery 返回一个整数，其中包含受影响的行数。

如果您创建查询以使其在列为 NULL 时不进行更新，则它将返回 0，您可以检查该值。

此外，将连接字符串放在一个位置更容易，因此如果您需要更改它，您只需这样做一次 - 很容易错过字符串的出现而不得不去再次编辑它。通常，此类数据存储在程序的设置中，但我在此示例中将其设置为常量：

Public Const CONNSTR As String = "Data Source=ICECANDY;Initial Catalog=RestaurantDatabase;integrated security=true"

'....

Private Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click
    Dim query As String = "UPDATE Tasks
                             SET FinishTime = @FinishTime, Status = @Status
                             WHERE TaskID = @id
                             AND StartTime IS NOT NULL"

    Dim nRowsAffected = 0

    Using con As New SqlConnection(CONNSTR),
          cmd As New SqlCommand(query, con)

        cmd.Parameters.Add("@id", SqlDbType.VarChar).Value = LabelID.Text
        cmd.Parameters.Add("@FinishTime", SqlDbType.VarChar).Value = Label1.Text
        cmd.Parameters.Add("@Status", SqlDbType.VarChar).Value = comboboxstatus.Text

        con.Open()
        nRowsAffected = cmd.ExecuteNonQuery()

    End Using

    If nRowsAffected = 0 Then
        MsgBox("Database not updated - check for empty StartTime.")
    Else
        MsgBox("Successfully updated!")
    End If

    refreshDGV()

End Sub

Using 语句确保在完成时释放“非托管资源”。