SQL语法错误

Question

当我尝试使用表单插入数据时，它会抛出异常（e1）＆＃34;错误发生请再试一次＆＃34;你的sql语法有错误，请检查与你的Mysql服务器版本相对应的手册，以便在＆＃34;附近使用正确的语法。在第1行 请帮助纠正此错误

StringBuilder query = new StringBuilder();
query.Append("Insert Into my_project_data.vehicle(ChassyNumber ,ManufacturedYear, EngineCapacity,Price,Features ,VehicleBrand , VehicleType) Values('" + chassy_txt.Text + "','"+manufac_year_txt.Text+"','"+Engine_Capasity_txt.Text+"','"+Price_txt.Text+"','"+Features_rich_txt.Text+"',");

Classes.DB_Connectivity db = new Classes.DB_Connectivity();

try
{
    db.openConnection();

        if ((radioButton1.Checked || radioButton2.Checked) && (radioButton7.Checked || radioButton11.Checked) && ( manufac_year_txt.Text != "" && Engine_Capasity_txt.Text != "" && Price_txt.Text != "" && Features_rich_txt.Text != ""))
        {


            if (radioButton1.Checked)
            {
                query.Append("BMW ,");

            }
            if (radioButton2.Checked) 
            {
                query.Append("Benz , ");
            }
            if (radioButton7.Checked)
            {
                query.Append("Car ,");
            }
            if (radioButton11.Checked)
            {
                query.Append("SUV ,");
            }

           if ( manufac_year_txt.Text != "" && Engine_Capasity_txt.Text != "" && Price_txt.Text != "" && Features_rich_txt.Text != "")
           { 
               query.Append(" '"+manufac_year_txt.Text+"', '"+Engine_Capasity_txt.Text+"','"+Price_txt.Text+"','"+Features_rich_txt.Text+"'");
            }

            MySqlCommand cmd = new MySqlCommand(query.ToString(), db.conn);
            cmd.ExecuteNonQuery();


            MessageBox.Show(" Vehicle Registration Successfull ", "Information", MessageBoxButtons.OK, MessageBoxIcon.Information);


        }
        else
        {
            MessageBox.Show("Fill All Required Information ", "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
        }

}
catch (Exception e1)
{
    MessageBox.Show("Error Occured Please Try Again "  +e1.Message,"Error",MessageBoxButtons.OK,MessageBoxIcon.Error);
}

Answer 1

你可能在这行末尾错过了一个撇号（以粗体添加）：

  

query.Append（＆＃34; Insert into my_project_data.vehicle（ChassyNumber）   ，ManufacturedYear，EngineCapacity，价格，功能，VehicleBrand，   VehicleType）值（＆＃39;＆＃34; + chassy_txt.Text +   ＆＃34;＆＃39;＆＃39;＆＃34 + + manufac_year_txt.Text＆＃34;＆＃39;＆＃39;＆＃34 + + Engine_Capasity_txt.Text＆＃34;＆＃ 39;，＆＃39;＆＃34 + + Price_txt.Text＆＃34;＆＃39;＆＃39;＆＃34 + + Features_rich_txt.Text＆＃34;＆＃39;＆＃34 ）;

应该是＆＃39;＆＃34; + Features_rich_txt.Text +＆＃34;＆＃39;，＆＃39; ＆＃34;）; 你有： ＆＃39;＆＃34 + + Features_rich_txt.Text＆＃34;＆＃39;＆＃34）;

在汽车模型之后你还需要一个撇号： 喜欢： query.Append（＆＃34; BMW＆＃39;，＆＃34;）; 等等。

还请考虑以上关于SQL注入的评论之一。