st = "SELECT YearLevel FROM Students WHERE StudentID = " & txtStudentID.Text
da = New OleDbDataAdapter(st, conn)
da.Fill(ds, "Students")
YearLevel = ds.Tables("Students").Rows(0).Item("YearLevel")
st1 = "SELECT TuitionFee, BookFee, MiscellaneousFee, OtherFee FROM Expenses WHERE YearLevel = " & YearLevel
da1 = New OleDbDataAdapter(st1, conn)
da1.Fill(ds1, "Expenses")
所以我有那个代码,然后我在第二个查询中有一个错误的操作符错误,可能的解决方案是什么?
答案 0 :(得分:0)
您收到此错误的原因是YearLevel的值为Grade 1,并且需要使用引号进行转义。因此,您希望RDBMS执行的实际查询可能如下所示:
SELECT TuitionFee, BookFee, MiscellaneousFee, OtherFee
FROM Expenses
WHERE YearLevel = 'Grade 1'
您可以直接在字符串st1中添加引号,但这可能会为SQL注入打开门。这是一个更安全的方法:
MyCommand = New SqlCommand("SELECT TuitionFee, BookFee, MiscellaneousFee, OtherFee FROM Expenses WHERE YearLevel = @YearLevel", conn)
MyCommand.Parameters.AddWithValue("@YearLevel", YearLevel)
VB.net应该感觉到参数是字符类型的,并自动用引号转义它。