对于INSERT语句VBA,不添加到ADOstring的参数

我想学习如何避免SQL注入,并使用VBA连接到一个MySQL数据库通过在VB中的ADO。

我遇到的问题是线路

Set rs = cmd.Execute 

我得到以下错误,我没有能够在两天的数字:“没有给出一个或多个所需的参数值”。

当然,当打印参数string,它返回这个:(我已经注意到参数的差异..不知道为什么会发生)

 INSERT INTO prm1=? VALUES prm2=?, prm3=?, prm4=?, prm5=?, prm6=?, prm7=?, prm8=?, prm9=?, prm10=?, prm11=?, prm12=?, prm13=?; 

这是我用来澄清的代码:

 Function addToServer(file As String, server As Integer, lastRow As Integer) Sheets("usage").Select Dim str As String Dim i As Integer Dim conn As ADODB.Connection Set conn = DBConnection Dim rs As ADODB.Recordset Set rs = New ADODB.Recordset Dim cmd As ADODB.Command Dim prm2 As ADODB.Parameter Dim prm3 As ADODB.Parameter Dim prm4 As ADODB.Parameter Dim prm5 As ADODB.Parameter Dim prm6 As ADODB.Parameter Dim prm7 As ADODB.Parameter Dim prm8 As ADODB.Parameter Dim prm10 As ADODB.Parameter Dim prm11 As ADODB.Parameter Dim prm12 As ADODB.Parameter Dim prm13 As ADODB.Parameter Dim prm14 As ADODB.Parameter Dim prm15 As ADODB.Parameter Set cmd = New ADODB.Command cmd.ActiveConnection = conn With cmd If server <> 0 Then .CommandText = "INSERT INTO NLVMerlinResults (Year, Month, Day, Lab, Station, IP, thisWeek, Week1, Week2, Week3, Week4, Week5, WeeksInMonth, SumOverWeeks) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);" Else .CommandText = "INSERT INTO STMerlinResults (Year, Month, Day, Lab, Station, IP, thisWeek, Week1, Week2, Week3, Week4, Week5, WeeksInMonth, SumOverWeeks) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) ;" End If cmd.CommandType = adCmdText Set prm2 = .CreateParameter(Name:="year", Type:=adInteger, size:=4) .Parameters.Append prm2 Set prm3 = .CreateParameter(Name:="month", Type:=adSmallInt, size:=2) .Parameters.Append prm3 Set prm4 = .CreateParameter(Name:="day", Type:=adSmallInt, size:=2) .Parameters.Append prm4 Set prm5 = .CreateParameter(Name:="lab", Type:=adVarChar, size:=30) .Parameters.Append prm5 Set prm6 = .CreateParameter(Name:="cell", Type:=adVarChar, size:=30) .Parameters.Append prm6 Set prm7 = .CreateParameter(Name:="ip", Type:=adVarChar, size:=20) .Parameters.Append prm7 Set prm8 = .CreateParameter(Name:="week", Type:=adSmallInt, size:=2) .Parameters.Append prm8 Set prm9 = .CreateParameter(Name:="1", Type:=adVarChar, size:=10) .Parameters.Append prm9 Set prm10 = .CreateParameter(Name:="2", Type:=adVarChar, size:=10) .Parameters.Append prm10 Set prm11 = .CreateParameter(Name:="3", Type:=adVarChar, size:=10) .Parameters.Append prm11 Set prm12 = .CreateParameter(Name:="4", Type:=adVarChar, size:=10) .Parameters.Append prm12 Set prm13 = .CreateParameter(Name:="5", Type:=adVarChar, size:=10) .Parameters.Append prm13 Set prm14 = .CreateParameter(Name:="weeksinmonth", Type:=adTinyInt, size:=1) .Parameters.Append prm14 Set prm15 = .CreateParameter(Name:="total", Type:=adVarChar, size:=10) .Parameters.Append prm15 Dim j As Integer For i = 1 To lastRow For j = 1 To 15 If (j = 1) Then prm2.value = CLng(cells(i, j)) ElseIf (j = 2) Then prm3.value = CInt(cells(i, j)) ElseIf (j = 3) Then prm4.value = CInt(cells(i, j)) ElseIf (j = 4) Then prm5.value = CStr(cells(i, j)) ElseIf (j = 5) Then prm6.value = CStr(cells(i, j)) ElseIf (j = 6) Then prm7.value = CStr(cells(i, j)) ElseIf (j = 7) Then prm8.value = CInt(cells(i, j)) ElseIf (j = 8) Then If IsEmpty((cells(i, j))) Then prm9.value = vbNullString Else prm9.value = CStr(cells(i, j)) End If ElseIf (j = 9) Then If IsEmpty((cells(i, j))) Then prm10.value = vbNullString Else prm10.value = CStr(cells(i, j)) End If ElseIf (j = 10) Then If IsEmpty((cells(i, j))) Then prm11.value = vbNullString Else prm11.value = CStr(cells(i, j)) End If ElseIf (j = 11) Then If IsEmpty((cells(i, j))) Then prm12.value = vbNullString Else prm12.value = CStr(cells(i, j)) End If ElseIf (j = 12) Then If IsEmpty((cells(i, j))) Then prm13.value = vbNullString Else prm13.value = CStr(cells(i, j)) End If ElseIf (j = 13) Then prm14.value = CByte(cells(i, j)) ElseIf (j = 14) Then prm15.value = CStr(cells(i, j)) End If Next j .Execute Next i End With Set cmd = Nothing End Function 

我有两个不同的方法,我用上面显示,但它似乎既不是两个工作。 有人可以给我大致的方向,我可以做些什么来帮助? 我试图从.CreateParameter函数( http://www.w3schools.com/asp/met_comm_createparameter.asp说他们是可选的),但这也没有工作。

最好,

阿什利

编辑::我已经添加上面的编辑。 我试了一个testing插入,它是成功的。

 INSERT INTO `NLVMerlinResults` (Year, Month, Day, Lab, Station, IP, thisWeek, Week1, Week2, Week3, Week4, Week5, WeeksInMonth, SumOverWeeks) VALUES ("1", "2", "3", "4", "5", 1, 5, "5", "5", "6", 6, "5", "4", "5") 

虽然奇怪的是,它让我input整数和string时,DB只需要varchar …

删除“qualifer =?” 从SQL语句。 ODBC参数是用单个指定的? ,并且必须按照与声明中显示的顺序相同的顺序添加:

 INSERT INTO `NLVMerlinResults` (Year, Month, Day, Lab, Station, IP, thisWeek, Week1, Week2, Week3, Week4, Week5, WeeksInMonth, SumOverWeeks) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) 

OP编辑:问题陈述中提供的function代码。