我正在尝试将评论添加到我正在构建的网站中。由于审查的内容分为3个表,我试图在数据库中执行3次插入以进行一次审核。我运行它时会显示页面,所以我知道大部分都在工作,但当我点击提交按钮时,我得到了一个:
Syntax error (missing operator) in query expression '3')'' error message.
它说问题出在这行代码中:
Line 86: dbInsert.ExecuteNonQuery()
这是本节的代码:
Dim sql As String = "INSERT INTO MovieReviews (MovieID, MReviewID, ReviewerType, ReviewDate, UserID) "
sql = sql & " VALUES ('" & movID & "','" & review_id & "','" & 2 & "','" & Date.Now & "'," & uID & "')'"
Dim sql2 As String = "INSERT INTO MReviewRatings (MReviewID, ValueForMoney, ActingAbility, SpecialEffects, Plot, Total) "
sql2 = sql2 & " VALUES ('" & movID & "','" & moneyStar(moneyStarRating) & "','" & actingStar(actingStarRating) & "','" & effectsStar(effectStarRating) & "','" & plotStar(plotStarRating) & "','" & totalStar(avg) & "')'"
Dim sql3 As String = "INSERT INTO MReviewTexts (MReviewID, ReviewText) "
sql3 = sql3 & " VALUES ('" & review_id & "','" & txtReviewText.Text & "')'"
dbInsert.CommandText = sql
dbInsert.CommandType = CommandType.Text
dbInsert.Connection = aConnection
dbInsert2.CommandText = sql2
dbInsert2.CommandType = CommandType.Text
dbInsert2.Connection = aConnection
dbInsert3.CommandText = sql3
dbInsert3.CommandType = CommandType.Text
dbInsert3.Connection = aConnection
dbInsert.ExecuteNonQuery()
dbInsert2.ExecuteNonQuery()
dbInsert3.ExecuteNonQuery()
我不确定是什么导致了这个问题。有谁知道如何将评论插入数据库?
答案 0 :(得分:1)
通过以这种方式实现代码,正如freefaller所指出的那样,你正在暴露自己的SQL注入攻击。
如果你这样写你的查询会好得多:
Dim sql As String = "INSERT INTO MovieReviews (MovieID, MReviewID, ReviewerType, ReviewDate, UserID) " & _
" VALUES (@movID,@review_id,@reviewerType,@timestamp,@userid)"
dbInsert.CommandText = sql
dbInsert.CommandType = CommandType.Text
dbInsert.Connection = aConnection
dbInsert.Parameters.Add(New SQLParameter("@movID",movID))
dbInsert.Parameters.Add(New SQLParameter("@review_id",review_id ))
dbInsert.Parameters.Add(New SQLParameter("@reviewerType",2))
dbInsert.Parameters.Add(New SQLParameter("@timestamp",Date.Now))
dbInsert.Parameters.Add(New SQLParameter("@userid",uID))
dbInsert.ExecuteNonQuery()
剩下的查询可以得到类似的处理。此更改不仅可以保护您免受SQL注入攻击,还可以使您的数据访问层代码更易于管理。
答案 1 :(得分:0)
这一行看起来像是在最后(uID之前)缺少单引号:
sql = sql & " VALUES ('" & movID & "','" & review_id & "','" & 2 & "','" & Date.Now & "'," & uID & "')'"
S / B:
sql = sql & " VALUES ('" & movID & "','" & review_id & "','" & 2 & "','" & Date.Now & "','" & uID & "')'"
答案 2 :(得分:0)
假设所有字段都是Varchar ...
Dim sql As String = "INSERT INTO MovieReviews (MovieID, MReviewID, ReviewerType, ReviewDate, UserID) "
sql = sql & " VALUES ('" & movID & "','" & review_id & "','" & 2 & "','" & Date.Now & "','" & uID & "')"
Dim sql2 As String = "INSERT INTO MReviewRatings (MReviewID, ValueForMoney, ActingAbility, SpecialEffects, Plot, Total) "
sql2 = sql2 & " VALUES ('" & movID & "','" & moneyStar(moneyStarRating) & "','" & actingStar(actingStarRating) & "','" & effectsStar(effectStarRating) & "','" & plotStar(plotStarRating) & "','" & totalStar(avg) & "')"
Dim sql3 As String = "INSERT INTO MReviewTexts (MReviewID, ReviewText) "
sql3 = sql3 & " VALUES ('" & review_id & "','" & txtReviewText.Text & "')"
答案 3 :(得分:0)
在陈述结尾处有一个额外的单引号。
此刻字符串会产生类似......
的内容insert into (x,y,z) values ('a','b','c')'
而不是像......一样......
sql = sql & " VALUES ('" & movID .... uID & "')'"
你应该(注意缺少')...
sql = sql & " VALUES ('" & movID .... uID & "')"
作为旁注,如果您的列是基于数字的,则无需将值放在单引号内。
您还应该尝试使用SQL Injection attacks
来阻止stored procedures