所以,
尝试编写一个非常简单的方法来更新数据库中的单个列。我不断在
下面的注释行附近收到“语法错误”的运行时错误public void SaveStatus(string id, string step)
{
// assuming that there is only one matching student ID
connect = new SqlConnection(connectionString);
connect.Open();
dataSet = new DataSet();
string command = "SELECT * FROM tblSubmissions WHERE Id = " + id;
dataAdapter = new SqlDataAdapter(command, connect);
dataAdapter.Fill(dataSet, "tblSubmissions"); // syntax error near here
dataSet.Tables[0].Rows[0]["StatusID"] = step;
dataAdapter.Update(dataSet, "tblSubmissions");
dataAdapter.Dispose();
connect.Close();
connect.Dispose();
}
希望有人可以指出我遗漏的明显问题
答案 0 :(得分:3)
查询应为"SELECT * FROM tblSubmissions WHERE Id = 'id_value' - 您错过了id值附近的引号。
使用参数化查询而不是字符串连接来修复问题并摆脱SQL注入问题:
SqlCommand cmd = new SqlCommand("SELECT * FROM tblSubmissions WHERE Id = @id" , connect);
cmd.Parameters.Add("@id", SqlDbType.UniqueIdentifier);
cmd.Parameters["@id"].Value = id;