将数据从前端添加到后端

时间:2015-08-05 18:37:14

标签: c# sql database

我收到此错误代码:“字符串后面的未闭合引号”:行:cmd.ExecuteNonQuery();

我看了,但我不知道出了什么问题。我也试过放两个textboxe,但我似乎无法调试它。请指教。谢谢!

以下是代码:

namespace Inventory
{
    public partial class NewData : System.Web.UI.Page
    {


        SqlConnection cn = new SqlConnection("Data Source=10.10.101.188;Initial Catalog=ActioNetITInventory;User ID=rails.sa;Password=ActioNet1234");


        protected void Page_Load(object sender, EventArgs e)
        {

        }//end page load

        protected void addButton_Click(object sender, EventArgs e)
        {
            cn.Open();
            SqlCommand cmd = cn.CreateCommand();
            cmd.CommandType = CommandType.Text;
            cmd.CommandText = "INSERT INTO Inventory values('" + Typetb.Text + " ',' " + Maketb.Text + "','" + Modeltb.Text + "','" + Serialtb.Text + "','" + Assignedtb.Text + "','" + Locationtb.Text + "','" + Notestb.Text + "')'";
            cmd.ExecuteNonQuery();
            cn.Close();

            status.Visible = true;
            status.Text = "Added succesffully!";


            Typetb.Text = "";
            Maketb.Text = "";
            Modeltb.Text = "";
            Serialtb.Text = "";
            Assignedtb.Text = "";
            Locationtb.Text = "";
            Notestb.Text = "";

        }//end add button

        protected void clearButton_Click1(object sender, EventArgs e)
        {

            Typetb.Text = "";
            Maketb.Text = "";
            Modeltb.Text = "";
            Serialtb.Text = "";
            Assignedtb.Text = "";
            Locationtb.Text = "";
            Notestb.Text = "";


        }//clear button




    }//end 
}//end

3 个答案:

答案 0 :(得分:1)

据我所见,您在查询结尾处有不必要的单引号。

Notestb.Text + "')'
                  ^^ here

但更重要的是

您应始终使用parameterized queries。这种字符串连接对SQL Injection攻击开放。

还可以使用using statement自动处理您的连接和命令,而不是手动调用CloseDispose方法。

using(var cn = new SqlConnection(conString))
using(var cmd = cn.CreateCommand())
{
   // Set your CommandText property with your parameter definitions
   // Add your parameters and their values with Add method
   // Open your connection
   // Execute your query.
}

答案 1 :(得分:0)

您的命令以额外的单引号结束。它应该是:

cmd.CommandText = "INSERT INTO Inventory values('" + 
    Typetb.Text + " ',' " + Maketb.Text + "','" + Modeltb.Text + 
    "','" + Serialtb.Text + "','" + Assignedtb.Text + "','" +
    Locationtb.Text + "','" + Notestb.Text + "')";

答案 2 :(得分:0)

我认为问题是

cmd.CommandText = "INSERT INTO Inventory values('" + Typetb.Text + " ',' " 
    + Maketb.Text + "','" + Modeltb.Text + "','" + Serialtb.Text + "','" + 
    Assignedtb.Text + "','" + Locationtb.Text + "','" + Notestb.Text + "')'";

在右括号后面有单个逗号'。 应该是:

cmd.CommandText = "INSERT INTO Inventory values('" + Typetb.Text + " ',' " 
    + Maketb.Text + "','" + Modeltb.Text + "','" + Serialtb.Text + "','" 
    + Assignedtb.Text + "','" + Locationtb.Text + "','" + Notestb.Text 
    + "')";
相关问题
最新问题