开发环境为vs2003+Access2000以下是Sql语句string sql="insert into stuInfo (stu_NO,stu_Name,cjmc) values('"+StudentID+"','"+StudentName+"','"+Cjmc+"')";变量的值有时会为空,但所有的变量都有值时语句可以正常执行,但是当有值为空时,调试时就报insert into语句不正确(调试时,语句变为insert into stuInfo (stu_NO,stu_Name,cjmc) values('aaa','','')),数据库中设置的是可以为空的请教一下,要实现这样的功能,改怎么写这条语句?谢谢了
string sql="insert into stuInfo (stu_NO,stu_Name,cjmc) values (" + values + ")";
OleDbCommand cmd=new OleDbCommand("insert into stuInfo (stu_NO,stu_Name,cjmc) values (@stu_No,@stu_Name,@cjmc)");
cmd.Connection=con;
OleDbParameter parm0=cmd.Parameters.Add("@stu_No",OleDbType.Integer);
OleDbParameter parm1=cmd.Parameters.Add("@stu_Name",OleDbType.VarChar);
OleDbParameter parm2=cmd.Parameters.Add("@cjmc",OleDbType.VarChar);
parm0.Value=StudentID;
parm1.Value=StudentName;
parm2.Value=Cjmc;
cmd.ExecuteNonQuery();
参数化好啊,而且不容易注入
{
if(sqlvalue == null)
return "null";
else
return "'" + sqlvalue.ToString().Replace("'", "\"") + "'";
}