这句话有什么问题?我收到错误“命令未正确结束”:
update subjectinfo set subject_name = '"
+ textBoxSubjectNameUpdate.Text
+ "' , subject_abbreviation = '"
+ textBoxSubjectAbbreviationUpdate.Text
+ "where subject_code = '"
+ textBoxSubjectCodeUpdate.Text + "'"
答案 0 :(得分:3)
您缺少textBoxSubjectAbbreviationUpdate.Text值之后的结束单引号,然后是where之间的空格:
update subjectinfo set subject_name = '"
+ textBoxSubjectNameUpdate.Text
+ "' , subject_abbreviation = '"
+ textBoxSubjectAbbreviationUpdate.Text
+ "' where subject_code = '"
+ textBoxSubjectCodeUpdate.Text + "'"
你也在邀请SQL注入;请考虑使用bind variables而不是将用户输入直接放入您的语句中。
答案 1 :(得分:2)
此
+ "where subject_code = '"
应该阅读
+ "' where subject_code = '"
^ quote and space here
但请使用参数。不要以这种方式构建SQL,它会导致SQL injection攻击成功。
答案 2 :(得分:1)
最后在“where”之前缺少单引号:
update subjectinfo set subject_name = '"
+ textBoxSubjectNameUpdate.Text
+ "' , subject_abbreviation = '"
+ textBoxSubjectAbbreviationUpdate.Text
+ "' where subject_code = '"
+ textBoxSubjectCodeUpdate.Text + "'
答案 3 :(得分:0)
理想情况下,不应在代码中使用SQL语句来避免SQL注入。
上面的具体情况,可以使用StringBuilder类编写,它更干净,性能负担更小。
StringBuilder sb = new StringBuilder("update subjectinfo set subject_name = '");
sb.Append(textBoxSubjectNameUpdate.Text);
sb.Append("' , subject_abbreviation = '");
sb.Append(textBoxSubjectAbbreviationUpdate.Text);
sb.Append("' where subject_code = '");
sb.Append(textBoxSubjectCodeUpdate.Text);
sb.Append("'");
var script sb.ToString()