'＆lt;'附近的语法不正确。标签'xmlns'已经被声明。标签名称在查询批处理或存储过程中必须是唯一的

Question

我从xml格式的数据库中获取一个字符串，并尝试使用以下查询更新xml：

ExecuteNonQuery("Update Logs SET Message = " + encryptedMessage + " WHERE ID = " + message.Id);

但是它给了我错误信息：

Incorrect syntax near '<'. The label 'xmlns' has already been declared. Label names must be unique within a query batch or stored procedure. An object or column name is missing or empty. For SELECT INTO statements, verify each column has a name. For other statements, look for empty alias names. Aliases defined as "" or [] are not allowed. Change the alias to a valid name. An object or column name is missing or empty. For SELECT INTO statements, verify each column has a name. For other statements, look for empty alias names. Aliases defined as "" or [] are not allowed. Change the alias to a valid name. An object or column name is missing or empty. For SELECT INTO statements, verify each column has a name. For other statements, look for empty alias names. Aliases defined as "" or [] are not allowed. Change the alias to a valid name. An object or column name is missing or empty. For SELECT INTO statements, verify each column has a name. For other statements, look for empty alias names. Aliases defined as "" or [] are not allowed. Change the alias to a valid name. An object or column name is missing or empty. For SELECT INTO statements, verify each column has a name. For other statements, look for empty alias names. Aliases defined as "" or [] are not allowed. Change the alias to a valid name.

我觉得它可能与引号有关，但我不确定。我尝试了不同的选项，如单引号，混合等等。

例如，如果我这样做：

ExecuteNonQuery("Update Logs SET Message = " + encryptedMessage.Replace('"','\'')+ " WHERE ID = " + message.Id);

这是否会将邮件中的双引号永久更新为单引号。我不想这样做。

Answer 1

是的，看起来你错过了邮件旁边的引号：

ExecuteNonQuery("Update Logs SET Message = '" + encryptedMessage + "' WHERE ID = " + message.Id);

XML本身也可能包含单引号，因此您可能需要转义它们（例如，将单个引号更改为消息中的两个单引号）

Answer 2

使用参数化查询和命令对象，您的加密消息可能包含破坏UPDATE语句语法的字符。

Answer 3

正如@Tomek所提到的，你应该使用参数化查询。它更安全，无需进行@Dan Sueava答案中建议的转换。

    SqlCommand command = 
     new SqlCommand("Update Logs SET Message = @EncryptedText WHERE ID = @MessageId");
    command.Parameters.AddWithValue("@EncryptedText", encryptedMessage);
    command.Parameters.AddWithValue("@MessageId", message.Id);

    command.ExecuteNonQuery();