我有以下代码:
public static void dbInfoInsert(int ID)
{
try
{
SqlConnection sqlCon = new SqlConnection(@"Data Source = (local); Initial Catalog = myDB; Integrated Security = True;");
sqlCon.Open();
SqlCommand insert = new SqlCommand
{
CommandText = string.Format("INSERT INTO [dbo.Food] ([FoodID], [FoodName], [FoodPrice], [FoodDescription]) VALUES ({0}, {1}, {2}, {3})", "T001", "FoodName", 23, "Food"),
Connection = sqlCon
};
insert.ExecuteNonQuery();
Console.Clear();
Console.WriteLine("SUCCESS");
Console.ReadKey();
sqlCon.Close();
}
// In case connection to Microsoft SQL fails
catch (SqlException e)
{
Console.WriteLine(e.ToString());
Console.ReadKey();
}
}
该错误表明我有一个Invalid column name 'T001',但这不是我的专栏。我在这里做错什么了吗?在我的名为myDB的数据库中,我有一个dbo.Food表,其中包含以下列:
答案 0 :(得分:1)
您应该始终坚持使用SqlParamter来避免Sql注入。此外,它还可以帮助您避免诸如缺少'之类的错误,而这些错误是在没有代码的情况下发生的。
string commandText = @"INSERT INTO [dbo.Food] ([FoodID], [FoodName], [FoodPrice], [FoodDescription]) VALUES (@param1, @param2, @param3, @param4)";
using (SqlConnection connection = new SqlConnection(connectionString))
{
SqlCommand cmd = new SqlCommand(sql,connection);
cmd.Parameters.Add("@param1", SqlDbType.Varchar,10).value = "T001";
cmd.Parameters.Add("@param2", SqlDbType.Varchar, 100).value = "FoodName";
cmd.Parameters.Add("@param3", SqlDbType.Money).value = 23;
cmd.Parameters.Add("@param4", SqlDbType.Varchar, 100).value = "Food";
cmd.CommandType = CommandType.Text;
cmd.ExecuteNonQuery();
}
尽管不建议这样做,但是如果您需要使当前代码正常工作,请用“'”包裹varchar参数。
CommandText = string.Format("INSERT INTO [dbo.Food] ([FoodID], [FoodName], [FoodPrice], [FoodDescription]) VALUES ('{0}', '{1}', {2}, '{3}')", "T001", "FoodName", 23, "Food")