当我要插入此值时,syntax error附近显示','。我无法解决问题
protected void Button1_Click(object sender, EventArgs e)
{
qry = "insert [Customer_ID],[Factory_Name],[Factory_Address],[Contuct_Persion],[Contuct_Number],[Software_Name_And_Version],[Dongle_Number],[Modeul_Name],[Software_Dalivery_Date],[Remarks] into MastTechSoftwareInformation values('" + TextBox1.Text + "','" + TextBox2.Text + "','" + TextBox3.Text + "','" + TextBox4.Text + "','" + TextBox5.Text + "','" + TextBox6.Text + "','" + TextBox7.Text + "','" + TextBox8.Text + "','" + TextBox9.Text.ToString() + "','" + TextBox10.Text + "')";
con = new SqlConnection(connection);
cmd = new SqlCommand(qry, con);
con.Open();
cmd.ExecuteNonQuery();
con.Close();
Label1.Text = "Record Inserted.";
}
答案 0 :(得分:2)
插入语法
INSERT INTO table_name (column1,column2,column3,...)
VALUES (value1,value2,value3,...);
对于列名称和()
INTO
使用参数,你的内联参数广泛用于sql注入攻击
using (var conn = new SqlConnection(connectionString))
using (var command = new SqlCommand("INSERT INTO table_name (column1,column2) VALUES (@value1,@value2)", conn)) {
conn.Open();
command.Parameters.AddWithValue("@value1", value1);
command.Parameters.AddWithValue("@value2", value2);
command.ExecuteNonQuery();
}
如果您有identity column,则无需为该列设置值,请删除identity column
以及为参数设置值时,还要设置与数据库列类型匹配的值。例如,如果数据库中Software_Dalivery_Date为DateTime,则将输入文本转换为DateTime并设置Software_Dalivery_Date参数
答案 1 :(得分:0)
试
qry = "insert into MastTechSoftwareInformation ([Customer_ID],[Factory_Name],[Factory_Address],[Contuct_Persion],[Contuct_Number],[Software_Name_And_Version],[Dongle_Number],[Modeul_Name],[Software_Dalivery_Date],[Remarks]) values('" + TextBox1.Text + "','" + TextBox2.Text + "','" + TextBox3.Text + "','" + TextBox4.Text + "','" + TextBox5.Text + "','" + TextBox6.Text + "','" + TextBox7.Text + "','" + TextBox8.Text + "','" + TextBox9.Text.ToString() + "','" + TextBox10.Text + "')";
您已经错过了列(),列应该在“into tablename”之后
答案 2 :(得分:0)
使用带参数的正确查询,在不检查它们的情况下使用参数永远都不错 - 这是SQL注入的一个邀请。
var command = new SqlCommand("INSERT INTO Example (i_Id) VALUES (@Id);", SqlConnection);
command.Parameters.Add("@Id", SqlDbType.Int).Value = Convert.ToInt32(txtBox1.ToString());
无论如何,您的括号()缺失
答案 3 :(得分:0)
protected void Button1_Click(object sender, EventArgs e)
{
qry = "insert into MastTechSoftwareInformation ( [Customer_ID],[Factory_Name],[Factory_Address],[Contuct_Persion],[Contuct_Number],[Software_Name_And_Version],[Dongle_Number],[Modeul_Name],[Software_Dalivery_Date],[Remarks]) values('" + TextBox1.Text + "','" + TextBox2.Text + "','" + TextBox3.Text + "','" + TextBox4.Text + "','" + TextBox5.Text + "','" + TextBox6.Text + "','" + TextBox7.Text + "','" + TextBox8.Text + "','" + TextBox9.Text.ToString() + "','" + TextBox10.Text + "')";
con = new SqlConnection(connection);
cmd = new SqlCommand(qry, con);
con.Open();
cmd.ExecuteNonQuery();
con.Close();
Label1.Text = "Record Inserted.";
}
还使用查询参数代替字符串连接。
答案 4 :(得分:0)
正如其他人已经为您的问题提供了解决方案。
我建议您使用parameterised Sql queries来避免SQL injection Attacks。
See More about sql injection attacks
示例:
此:
SqlCommand command=new SqlCommand("INSERT INTO tablename(name,no) values('kumar',53)");
可以使用parameterised Sql queries编写,如下所示:
SqlCommand command=new SqlCommand("INSERT INTO tablename(name,no) values(@name,@no)");
command.Parameter.AddWithValue("@name","kumar");
command.Parameter.AddWithValue("@no",53);