当我尝试在我的数据库中运行和插入数据时出现语法错误....我有一个登录按钮和删除按钮,工作得很好....但是这个没有,我不喜欢'得到它.....有人可以告诉我替代插入或错误是什么?
public partial class Register : Form
{
private OleDbConnection connect = new OleDbConnection();
public Register()
{
InitializeComponent();
connect.ConnectionString = @"Provider=Microsoft.ACE.OLEDB.12.0;Data Source=resources\Users.accdb;
Persist Security Info=False;";
}
private void register1_Click(object sender, EventArgs e)
{
try
{
connect.Open();
OleDbCommand command = new OleDbCommand();
command.Connection = connect;
command.CommandText ="insert into Users(Username, Password, Email) values(' " + userR_box.Text + " ',' " + passwordR_box.Text + " ',' " + mailR_box.Text + " ')";
if ((userR_box.Text == "") || (passwordR_box.Text == "") || (mailR_box.Text == ""))
{
MessageBox.Show("Va rugam completati toate campurile");
}
else
{
command.ExecuteNonQuery();
}
}
catch (Exception ex)
{
MessageBox.Show("Error "+ ex);
}
connect.Close();
}
答案 0 :(得分:0)
首先,阅读有关在查询中添加参数的信息,MSDN或Stack Overflow(How do parameterized queries help against SQL injection?)。
它可以节省你构建一个字符串,并可能在错误的地方输入引号。
答案 1 :(得分:-1)
看着你的代码,我注意到了三件事:
' " + userR_box.Text + " ' '或任何其他可能影响查询的字符...这将导致错误。INSERT into Users ([Username], [Password], [Email]...以避免保留关键字。