SQL错误:“AND附近的语法不正确”

时间:2011-02-06 10:30:33

标签: asp.net vb.net sql-server-2005 

"[..] security info=False;initial catalog=pooja2011"

Dim cmd As New Data.SqlClient.SqlCommand
Dim con As New Data.SqlClient.SqlConnection(constr)

Try
   Dim strSql As String = "UPDATE a1_ticket SET BANK = '" & Literal20.Text & "' AND PAID = '" & Label1.Text & "'AND BID = '" & Literal21.Text & "' WHERE Ticket_no ='" & Literal3.Text & "'"

   '------------"
   con.Open()
   cmd.Connection = con
   cmd.CommandText = strSql
   cmd.ExecuteNonQuery()
Catch ex As Exception
   Response.Write(ex.Message)
Finally
   cmd.Dispose()
   con.Dispose()
End Try

错误:AND附近的语法不正确

2 个答案:

答案 0 :(得分:3)

您没有使用参数化查询,从而使您的代码容易受到SQL注入攻击。以下是如何改进它:

Try
    Using conn = New SqlConnection(constr)
    Using cmd = conn.CreateCommand()
        conn.Open()
        Dim sql As String = "UPDATE a1_ticket SET BANK = @bank, PAID = @paid, BID = @bid WHERE Ticket_no = @ticketNo"
        cmd.CommandText = sql
        cmd.Parameters.AddWithValue("@bank", Literal20.Text)
        cmd.Parameters.AddWithValue("@paid", Label1.Text)
        cmd.Parameters.AddWithValue("@bid", Literal21.Text)
        cmd.Parameters.AddWithValue("@ticketNo", Literal3.Text)
        cmd.ExecuteNonQuery()
    End Using
    End Using
Catch ex As Exception
    Response.Write(ex.Message)
End Try

答案 1 :(得分:0)

好吧,单引号后AND没有空格:

Label1.Text & "'AND BID = '"

应该是:

Label1.Text & "' AND BID = '"

如果这不能解决您的问题,您可以发布错误消息吗?

相关问题
最新问题