为什么我总是会收到此错误?

时间:2013-12-21 17:16:47

标签: c# winforms datagridview sqlcommand

这是我的代码

SqlConnection con = new SqlConnection(strConnection);
con.Open();

SqlCommand sqlCmd = new SqlCommand();
sqlCmd.Connection = con;
sqlCmd.CommandType = CommandType.Text;

for (int i = 0; i < dataGridView1.Rows.Count; i++)
{
    sqlCmd.CommandText = "INSERT INTO ChheckIn VALUES 
(rakmsheek,tare5sheek,esmsa7bsheek,mablgh,hesab,esmel7sab,mla7zat) (" + 
dataGridView1.Rows[i].Cells["Column1"].Value + ", " + 
dataGridView1.Rows[i].Cells["Column2"].Value + "," + 
dataGridView1.Rows[i].Cells["Column3"].Value + ", " + 
dataGridView1.Rows[i].Cells["Column4"].Value + ", " + 
dataGridView1.Rows[i].Cells["Column5"].Value + ", " + 
dataGridView1.Rows[i].Cells["Column6"].Value + ", " + 
dataGridView1.Rows[i].Cells["Column7"].Value + ",);";


    sqlCmd.ExecuteNonQuery();
    con.Close();
}

http://i.stack.imgur.com/jtkX8.png

我想从我的datagridview获取数据到表CheckIn

我在附带的屏幕截图中显示错误。

1 个答案:

答案 0 :(得分:3)

问题1:您在INSERT INTO语句末尾添加了额外的逗号。
解决方案1::在comma声明的末尾删除额外的(,) INSERT INTO

注意:将VARCHAR/NVARCHAR (String)

中的所有single quotes类型都包含在内

示例:

sqlCmd.CommandText = "INSERT INTO tablename(name) VALUES('yourname');

试试这个:

sqlCmd.CommandText = "INSERT INTO ChheckIn (rakmsheek,tare5sheek,esmsa7bsheek,mablgh,hesab,esmel7sab,mla7zat) VALUES (" + dataGridView1.Rows[i].Cells["Column1"].Value + ", " + dataGridView1.Rows[i].Cells["Column2"].Value + "," + dataGridView1.Rows[i].Cells["Column3"].Value + ", " + dataGridView1.Rows[i].Cells["Column4"].Value + ", " + dataGridView1.Rows[i].Cells["Column5"].Value + ", " + dataGridView1.Rows[i].Cells["Column6"].Value + ", " + dataGridView1.Rows[i].Cells["Column7"].Value + ");";

问题2:您误用/合并了列名和值。

解决方案2:您需要使用正确的语法。

 sqlCmd.CommandText = "INSERT INTO ChheckIn(rakmsheek,tare5sheek,esmsa7bsheek,mablgh,hesab,esmel7sab,mla7zat) VALUES (" + dataGridView1.Rows[i].Cells["Column1"].Value + ", " + dataGridView1.Rows[i].Cells["Column2"].Value + "," + dataGridView1.Rows[i].Cells["Column3"].Value + ", " + dataGridView1.Rows[i].Cells["Column4"].Value + ", " + dataGridView1.Rows[i].Cells["Column5"].Value + ", " + dataGridView1.Rows[i].Cells["Column6"].Value + ", " + dataGridView1.Rows[i].Cells["Column7"].Value + ");";

问题3 /建议:您的查询对SQL注入攻击是开放的。

解决方案3:使用Parameterised queries来避免sql injection attacks

sqlCmd.CommandText = "INSERT INTO ChheckIn(rakmsheek,tare5sheek,esmsa7bsheek,mablgh,hesab,esmel7sab,mla7zat)     
VALUES(@rakmsheek,@tare5sheek,@esmsa7bsheek,@mablgh,@hesab,@esmel7sab,@mla7zat)";  

sqlCmd.Parameters.AddWithValue("@rakmsheek",dataGridView1.Rows[i].Cells["Column1"].Value); 
sqlCmd.Parameters.AddWithValue("@tare5sheek",dataGridView1.Rows[i].Cells["Column2"].Value); 
sqlCmd.Parameters.AddWithValue("@esmsa7bsheek",dataGridView1.Rows[i].Cells["Column3"].Value); 
sqlCmd.Parameters.AddWithValue("@mablgh",dataGridView1.Rows[i].Cells["Column4"].Value); 
sqlCmd.Parameters.AddWithValue("@hesab",dataGridView1.Rows[i].Cells["Column5"].Value);   
sqlCmd.Parameters.AddWithValue("@esmel7sab",dataGridView1.Rows[i].Cells["Column6"].Value);
sqlCmd.Parameters.AddWithValue("@mla7zat",dataGridView1.Rows[i].Cells["Column7"].Value);
相关问题
最新问题