使用mysql插入数据时出现语法错误

时间:2014-10-05 08:46:34

标签: c# mysql winforms

错误:

  

&#39>附近的语法不正确。   字符串后的未闭合引号');'。

代码:

private void btnAdd_Click(object sender, EventArgs e)
{
    SqlConnection cn = new SqlConnection(global::CIMT.Properties.Settings.Default.Database2ConnectionString);

    try 
    {
        string sql = "INSERT INTO Students(Student_Id,First_Name,Last_Name,Fathers_Name,DOB,Mobile,Address,Post_Code) VALUES('"+this.txtId.Text+"','"+this.txtFName.Text+"','"+this.txtLName.Text+"','"+this.txtFaName.Text+"','"+this.txtDOB.Text+"','"+this.txtMob.Text+"','"+this.txtAddress.Text+"','"+this.txtPostCode.Text+ "');";
        SqlCommand exesql = new SqlCommand(sql, cn);
        cn.Open();
        exesql.ExecuteNonQuery();

        MessageBox.Show("Add new record done !!" , "Message" , MessageBoxButtons.OK , MessageBoxIcon.Information);
        this.studentsTableAdapter.Fill(this.database2DataSet.Students);
    }

    catch (Exception ex) 
    {
        MessageBox.Show(ex.Message , "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
    }

    finally 
    {
        cn.Close();
    }
}

1 个答案:

答案 0 :(得分:1)

使用参数化查询,就像那些人在评论中告诉你的那样,不仅可以避免错误,还可以帮助你避免SQL注入。

private void btnAdd_Click(object sender, EventArgs e)
{
    var cnString = global::CIMT.Properties.Settings.Default.Database2ConnectionString;
    using (SqlConnection cn = new SqlConnection(cnString))
    {
        try 
        {
            cn.Open();
            using (var exesql = new SqlCommand(
                      @"INSERT INTO Students(Student_Id
                                            ,First_Name
                                            ,Last_Name
                                            ,Fathers_Name
                                            ,DOB
                                            ,Mobile
                                            ,Address
                                            ,Post_Code) 
                        VALUES(@Student_Id
                                ,@First_Name
                                ,@Last_Name
                                ,@Fathers_Name
                                ,@DOB
                                ,@Mobile
                                ,@Address
                                ,@Post_Code);",
            cn))
            {
                exesql.Parameters.AddWithValue("@Student_Id", this.txtId.Text);
                exesql.Parameters.AddWithValue("@First_Name", this.txtFName.Text);
                exesql.Parameters.AddWithValue("@Last_Name",this.txtLName.Text );
                exesql.Parameters.AddWithValue("@Fathers_Name", this.txtFaName.Text);
                exesql.Parameters.AddWithValue("@DOB", this.txtDOB.Text);
                exesql.Parameters.AddWithValue("@Mobile", this.txtMob.Text);
                exesql.Parameters.AddWithValue("@Address", this.txtAddress.Text);
                exesql.Parameters.AddWithValue("@Post_Code", this.txtPostCode.Text);

                exesql.ExecuteNonQuery();

                MessageBox.Show("Add new record done !!" , "Message" , MessageBoxButtons.OK 
                                , MessageBoxIcon.Information);
                this.studentsTableAdapter.Fill(this.database2DataSet.Students);
            }
        }
        catch (Exception ex) 
        {
            MessageBox.Show(ex.Message , "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
        }
    }
}

阅读SqlParameter Class

相关问题
最新问题