我正在使用azure调用Web服务,并使用以下方法填充数据库。我不知道什么是错的..
using (SqlConnection conn = new SqlConnection(cs))
{
using (SqlCommand command = conn.CreateCommand())
{
conn.Open();
string cmdText = String.Format("INSERT INTO UserFiles VALUES('" + obj.userRef.ToString() + "','name','name','name','name','name','name'");
command.CommandText = cmdText;
command.ExecuteNonQuery();
conn.Close();
}
}
这是错误消息:
System.Data.SqlClient.SqlException(0x80131904):语法不正确 靠近'name'。
在 System.Data.SqlClient.SqlConnection.OnError(SqlException异常, Boolean breakConnection,Action
1 wrapCloseInAction)1 wrapCloseInAction)
at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection, Action
在System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject) stateObj,Boolean callerHasConnectionLock,Boolean asyncClose)
在System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler,SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler,TdsParserStateObject stateObj,布尔& dataReady)
在System.Data.SqlClient.SqlCommand.RunExecuteNonQueryTds(String methodName,布尔异步,Int32超时)
在System.Data.SqlClient.SqlCommand.InternalExecuteNonQuery(TaskCompletionSource`1 completion,String methodName,Boolean sendToPipe,Int32 timeout, Boolean asyncWrite)
在System.Data.SqlClient.SqlCommand.ExecuteNonQuery()
at _4900ProjectDesktopInterface.Form1.uploadbutton_Click(Object sender,EventArgs e)in C:\ Users \用户肯\文件\ GitHub的\ MegaFileUploadConversionService \ TestingTool \ 4900ProjectDesktopInterface \ Form1.cs中:线 152 \ r \ nClientConnectionId:fb95122f-415B-484d-9438-903f0bf2aad0"
答案 0 :(得分:3)
您的cmdText最后需要一个);
using (SqlConnection conn = new SqlConnection(cs))
{
using (SqlCommand command = conn.CreateCommand())
{
conn.Open();
string cmdText = String.Format("INSERT INTO UserFiles VALUES(@userRef, @name1, @name2, @name3, @name4, @name5, @name6)");
command.Parameters.AddVithValue("@userRef", obj.userRef.ToString());
command.Parameters.AddVithValue("@name1", name);
command.Parameters.AddVithValue("@name2", name);
command.Parameters.AddVithValue("@name3", name);
command.Parameters.AddVithValue("@name4", name);
command.Parameters.AddVithValue("@name5", name);
command.Parameters.AddVithValue("@name6", name);
command.CommandText = cmdText;
command.ExecuteNonQuery();
conn.Close();
}
}
正如我在comment中所说,您应该始终使用 parameterized queries 。您的代码对SQL Injection attakcs
开放答案 1 :(得分:2)
using (SqlConnection conn = new SqlConnection(cs))
{
using (SqlCommand command = conn.CreateCommand())
{
conn.Open();
string cmdText = String.Format("INSERT INTO UserFiles VALUES('" + obj.userRef.ToString() + "','name','name','name','name','name','name')");
command.CommandText = cmdText;
command.ExecuteNonQuery();
conn.Close();
}
}
你忘记了右括号
答案 2 :(得分:0)
看起来你没有终止值的开放括号?你为什么使用 String.Format ?并且您可以摆脱 conn.close ,因为使用语句将隐式执行此操作。
using (SqlConnection conn = new SqlConnection(cs))
{
using (SqlCommand command = conn.CreateCommand())
{
conn.Open();
string cmdText = "INSERT INTO UserFiles VALUES('" + obj.userRef.ToString() + "','name','name','name','name','name','name')";
command.CommandText = cmdText;
command.ExecuteNonQuery();
}
}