我正在尝试将完整的表格文本传输到我的数据库中,我想我可以使用foreach循环。但我最终得到了一个错误。
这是我到目前为止的代码:
private void button1_Click(object sender, EventArgs e){
foreach (DataGridViewRow dr in dataGridView1.Rows)
{
string constring = "Data Source = localhost; port = 3306; username = root; password = 0159";
string Query = "Update TopShineDB.Table1 set Time = '" + dr.Cells[0].Value + "', CarColorNumber = '" + dr.Cells[1].Value + "', Interior = '" + dr.Cells[2].Value + "', Exterior = '" + dr.Cells[3].Value + "', CPlastic = '" + dr.Cells[4].Value + "', MPlastic = '" + dr.Cells[5].Value + "', SPlastic = '" + dr.Cells[6].Value + "', PlasticB = '" + dr.Cells[7].Value + "', WashExt = '" + dr.Cells[8].Value + "', WashEng = '" + dr.Cells[9].Value + "', WashTrunk = '" + dr.Cells[10].Value + "', WashSeats = '" + dr.Cells[11].Value + "', SeatsRmv = '" + dr.Cells[12].Value + "', SeatsFit = '" + dr.Cells[13].Value + "', Notes = '" + dr.Cells[14].Value + "', where Time = '" + dr.Cells[0].Value + "' ;";
MySqlConnection conn = new MySqlConnection(constring);
MySqlCommand command = new MySqlCommand(Query, conn);
MySqlDataReader myReader;
try
{
conn.Open();
myReader = command.ExecuteReader();
MessageBox.Show("Worker Successfully Added");
while (myReader.Read())
{
}
}
catch (Exception ex)
{
MessageBox.Show(ex.Message);
}
}
当我运行应用程序时,我在错误框中收到此错误:
you have an error in your sql syntax check the manual that corresponds to your mysql server version for the right syntax to use near '(Time, CarColorNumber, Interior, Exterior, CPlastic,...)
答案 0 :(得分:2)
正如我在上面的评论中所解释的那样,你有一个语法错误,因为在WHERE语句之前有一个逗号。但是只删除那个逗号将无法解决你的问题,因为单词TIME是一个保留关键字,你不应该这样做将它用于您的列名称。这个问题可以修复,在关键字之前和之后添加反引号。 (或者更好地更改列名称)
但是,连接字符串以形成您的sql文本会产生其他可能的错误,因为如果您的任何输入值包含单引号,则代码构建的整个字符串将再次成为无效的sql文本。
字符串连接方法的最大问题是允许恶意用户使用名为Sql Injection的众所周知的黑客技术。
要解决一劳永逸的问题,您应该尝试编写像这样的参数化查询
private void button1_Click(object sender, EventArgs e)
{
string constring = "Data Source = localhost; port = 3306; username = root; password = 0159";
// Prepare a string where you insert parameter's placeholders instead of
// concatenating the grid values....
string Query = @"Update TopShineDB.Table1 set CarColorNumber = @CarColorNumber, Interior = @Interior,
Exterior = @Exterior , CPlastic = @CPlastic, MPlastic = @MPlastic, SPlastic = @SPlastic,
PlasticB = @PlasticB, WashExt = @WashExt, WashEng = @WashEng, WashTrunk = @WashTrunk,
WashSeats = @WashSeats, SeatsRmv = @SeatsRmv, SeatsFit = @SeatsFit, Notes = @Notes
where `Time` = @Time";
// Using statement around connection and command to destroy
// these objects at the end of the using block
using(MySqlConnection conn = new MySqlConnection(constring))
using(MySqlCommand command = new MySqlCommand(Query, conn))
{
conn.Open();
// Create the list of parameters required by the query
// Notice that you should use the appropriate MySqlDbType
// for the field receiving the value.
command.Parameters.Add("@Time", MySqlDbType.VarChar);
command.Parameters.Add("@CarColorNumber", MySqlDbType.VarChar);
..... create all the other parameters leaving the value null
try
{
foreach(DataGridViewRow dr in dataGridView1.Rows)
{
// Inside the loop update the parameters' values
// with data extracted by the current row...
command.Parameters["@Time"].Value = dr.Cells[0].Value;
command.Parameters["@CarColorNumber"].Value = dr.Cells[1].Value;
..... set the value for all other parameters ....
// ExecuteNonQuery for INSERT/UPDATE/DELETE,
// ExecuteReader works but it is specific for reading
command.ExecuteNonQuery();
}
}
catch (Exception ex)
{
MessageBox.Show(ex.Message);
}
}
}
需要注意的另一点是时间字段的更新。它使用与where子句中使用的值相同的更新,因此无需更新它。