将 varchar 转换为数字时出错:SQL Server 2008
我有这个 SQL 语句,但它返回:“将 varchar 转换为数字时出错”
ADOTailles.SQL.Text := 'INSERT INTO tailles (numOF, taille, quantite, prixVente) VALUES(''' + numOF.Text + ''',''' + C.Caption + ''',''' + Q.Text + ''',''' + P.Text + ''')';
ADOTailles.ExecSQL
数字字段是 prixVente;
我使用了这个,但仍然出现相同的错误:
ADOTailles.SQL.Text := 'INSERT INTO tailles (numOF, taille, quantite, prixVente) VALUES(''' + numOF.Text + ''',''' + C.Caption + ''',''' + Q.Text + ''',CAST(''' + P.Text + ''' AS numeric(5, 2)))');
ADOTailles.ExecSQL
注意:如果我输入一个 INTEGER ,则没有错误
完整的代码是:
var
I: Int8;
C: TCheckBox;
Q, P: TEdit;
for I := 1 to 16 do Begin
C := FindComponent('T' + IntToStr(I)) as TCheckBox;
Q := FindComponent('Q' + IntToStr(I)) as TEdit;
P := FindComponent('P' + IntToStr(I)) as TEdit;
if C.Checked = True then begin
ADOTailles.SQL.Text := 'INSERT INTO tailles (numOF, taille, quantite, prixVente) VALUES(''' + numOF.Text + ''',''' + C.Caption + ''',''' + Q.Text + ''',''' + P.Text + ''')';
ADOTailles.ExecSQL
end;
End;
没有 SQL 注入,因为我使用此代码:
StringReplace(aricleFilter.Text, '''', '', [rfReplaceAll]);
I have this SQL statement but it return : "error converting varchar to numeric"
ADOTailles.SQL.Text := 'INSERT INTO tailles (numOF, taille, quantite, prixVente) VALUES(''' + numOF.Text + ''',''' + C.Caption + ''',''' + Q.Text + ''',''' + P.Text + ''')';
ADOTailles.ExecSQL
The numeric field is prixVente;
I used this but still the same error:
ADOTailles.SQL.Text := 'INSERT INTO tailles (numOF, taille, quantite, prixVente) VALUES(''' + numOF.Text + ''',''' + C.Caption + ''',''' + Q.Text + ''',CAST(''' + P.Text + ''' AS numeric(5, 2)))');
ADOTailles.ExecSQL
NOTE: If I put an INTEGER there is no error
The full code is:
var
I: Int8;
C: TCheckBox;
Q, P: TEdit;
for I := 1 to 16 do Begin
C := FindComponent('T' + IntToStr(I)) as TCheckBox;
Q := FindComponent('Q' + IntToStr(I)) as TEdit;
P := FindComponent('P' + IntToStr(I)) as TEdit;
if C.Checked = True then begin
ADOTailles.SQL.Text := 'INSERT INTO tailles (numOF, taille, quantite, prixVente) VALUES(''' + numOF.Text + ''',''' + C.Caption + ''',''' + Q.Text + ''',''' + P.Text + ''')';
ADOTailles.ExecSQL
end;
End;
there is no SQL injection because I use this code:
StringReplace(aricleFilter.Text, '''', '', [rfReplaceAll]);
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
不要通过附加文本来创建 SQL 查询;使用参数。
否则您将陷入 Bobby Tables SQL 注入陷阱。
它也使得消除这些错误变得更加容易。
Don't create a SQL query by appending text; use parameters.
Or you'll fall into the Bobby Tables SQL injection trap.
It makes it way easier to get rid of these errors too.
也许您的字符串不包含数字符号或不正确的小数分隔符(例如“,”而不是“.”)。
Maybe your string contains not numeric symbols or incorrect decimal separator (for example "," instead of ".").
您将价格值放在报价之间,
这就是导致 SQLServer 尝试从 varchar 转换为数字的原因。为了防止这种情况,您必须保留引号:
并确保 P.Text 包含 SQL Server 期望的小数点和千位分隔符。最好只有小数点分隔符。您始终可以使用 StrToFloat 或 StrToFloatDef 自行进行转换,并将 P.Text 作为输入,然后针对 SQLServer 重新格式化。
据我所知,SQL Server 期望 SQL 语句中使用美国分隔符,这意味着您需要使用点作为小数点分隔符。
You are putting the value for the price between quotes
This is what causes SQLServer to try a conversion from varchar to a number. To prevent that, you will have to leave of the quotes:
and make sure that P.Text contains the decimal and thousands separators that SQL Server expects. Preferably only the decimal separator. You can always do the conversion yourself using StrToFloat or StrToFloatDef with P.Text as the input and then reformat that for SQLServer.
From what I can remember, SQL Server expects the US separators in SQL statements, which means you need to use a point as the decimal separator.