大家好我在c#中插入数据的字符串查询中遇到此问题。我知道我的查询是正确的,因为当我输入一些随机单词时它会保存。但是当我在文本框中键入正确的数据时,它会在语法中出现错误。和我的代码
try
{
string connStr = "server = 127.0.0.1; uid = root; " + "pwd =; database = scco";
string Query = " insert into scco.m_information (accno,tom,sname,gname,mname,gender,cno,father,mother,bday,age,email,educattain,cstatus,preadd,proadd,yres,residency,toj,comname,comadd,ccno,mincome,oincome,moincome,daccepted,ICS,BOD,DOP,NOS,AOS,YA,spname,spdad,spmom,stoj,scname,scadd,sccno,smi,nc1,stat1,kind1,inc1,allow1,nc2,stat2,kind2,inc2,allow2,nc3,stat3,kind3,inc3,allow3,nc4,stat4,kind4,inc4,allow4,nc5,stat5,kind5,inc5,allow5,nc6,stat6,kind6,inc6,allow6,befname,befrel,refname,refcno) values ('" + this.txtID.Text + "','" + tom + "', '" + this.txtSname.Text + "', '" + this.txtGname.Text + "', '" + this.txtMname.Text + "', '" + gender + "', '" + this.txtCno.Text + "', '" + this.txtDad.Text + "', '" + this.txtMom.Text + "', '" + this.dBirth.Text + "', '" + this.txtAge.Text + "', '" + this.txtEmail.Text + "', '" + this.cmbEducAttain.Text + "', '" + cstatus + "', '" + this.rtbPreAdd.Text + "', '" + this.rtbProAdd.Text + "', '" + this.txtYRes.Text + "', '" + residency + "','" + toj + "', '" + this.rtbComp.Text + "', '" + this.rtbCadd.Text + "', '" + this.txtCCno.Text + "', '" + this.txtMincome.Text + "', '" + this.txtOSincome.Text + "', '" + this.txtIncome.Text + "','" + this.dAccepted.Text + "', '" + this.txtIcs.Text + "', '" + this.txtBod.Text + "', '" + this.txtdop.Text + "', '" + this.txtnos.Text + "', '" + this.txtaos.Text + "', '" + this.txtya.Text + "','" + this.txtSpName.Text + "', '" + this.txtSFname.Text + "', '" + this.txtSMname.Text + "', '" + stoj + "', '" + this.rtbpscomname.Text + "', '" + this.rtbspcomadd.Text + "', '" + this.txtspccno.Text + "', '" + this.txtspminc.Text + "', '" + this.txtChild1.Text + "', '" + this.cmbCStatus1.Text + "', '" + this.cmbKind1.Text + "', '" + this.txtA1.Text + "', '" + this.txtI1.Text + "', '" + this.txtChild2.Text + "', '" + this.cmbCStatus2.Text + "', '" + this.cmbKind2.Text + "', '" + this.txtA2.Text + "', '" + this.txtI2.Text + "', '" + this.txtChild3.Text + "', '" + this.cmbCStatus3.Text + "', '" + this.cmbKind3.Text + "', '" + this.txtA3.Text + "', '" + this.txtI3.Text + "', '" + this.txtChild4.Text + "', '" + this.cmbCStatus4.Text + "', '" + this.cmbKind4.Text + "', '" + this.txtA4.Text + "', '" + this.txtI4.Text + "', '" + this.txtChild5.Text + "', '" + this.cmbCStatus5.Text + "', '" + this.cmbKind5.Text + "', '" + this.txtA5.Text + "', '" + this.txtI5.Text + "', '" + this.txtChild6.Text + "', '" + this.cmbCStatus6.Text + "', '" + this.cmbKind6.Text + "', '" + this.txtA6.Text + "', '" + this.txtI6.Text + "','" + this.rtbBefName.Text + "','" + this.rtbBefRel.Text + "','" + this.rtbRefName.Text + "','" + this.rtbRefCno.Text + "');";
MySqlConnection conn = new MySqlConnection(connStr);
MySqlCommand MyCommand = new MySqlCommand(Query, conn);
MySqlDataReader MyReader;
conn.Open();
MyReader = MyCommand.ExecuteReader();
while (MyReader.Read())
{
}
conn.Close();
见下图。
答案 0 :(得分:2)
对我而言,数据中的某些内容中有一个撇号,因此当它被附加到查询字符串时,它会认为它是一个SQL单引号。你必须先逃避或翻译撇号。
答案 1 :(得分:2)
使用参数来避免SQL注入。阅读下面或上面的精彩漫画!
祝你好运!https://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlcommand.parameters(v=vs.110).aspx
答案 2 :(得分:-1)
在MyReader.Close()上方添加conn.Close()。
