SqlConnection con1 = new SqlConnection(strcon);
con1.Open();
string query = " ";
query += " BEGIN TRANSACTION ";
query += " DELETE FROM VehicleRentals FROM VehicleRentals INNER JOIN Vehicles N VehicleRentals.VehicleID = Vehicles.VehicleID WHERE LicensePlate=@LicensePlate ";
query += " DECLARE @x int ";
query += " SELECT @x = VehicleTypeCode FROM Vehicles WHERE LicensePlate=@LicensePlate ";
query += " DELETE FROM Manufacturers FROM Manufacturers INNER JOIN Models ON Manufacturers.ManufacturerCode = Models.ManufacturerCode INNER JOIN Vehicles ON Models.ModelID = Vehicles.ModelID WHERE LicensePlate=@LicensePlate ";
query += " DELETE FROM VehicleTypes FROM VehicleTypes WHERE VehicleTypeCode = @x ";
query += " COMMIT TRANSACTION ";
SqlCommand cmd1 = new SqlCommand(query, con1);
cmd1.Parameters.AddWithValue("@LicensePlate", txtPlaka.Text);
cmd1.ExecuteNonQuery();
con1.Close();
我按照你的说法修改了代码。使用参数@LicensePlate在行和I之间的空格。但代码无效
答案 0 :(得分:5)
query += "BEGIN TRANSACTION";
query += "DELETE FROM VehicleRentals FROM VehicleRentals INNER JOIN Vehicles N..."
变成
"BEGIN TRANSACTIONDELETE FROM..."
您需要在每行之间包含空格:
query += "BEGIN TRANSACTION";
query += " DELETE FROM VehicleRentals FROM VehicleRentals INNER JOIN Vehicles N..."
正如其他人所说,你应该使用参数来避免sql注入。