当我尝试插入我的桌面数据库时,我收到了 SqlException 指向以下代码:
int x = 0;
{
connect.Open(); //connect is an SqlConnection object
x = command.ExecuteNonQuery();
}
错误点在以下行:
x = command.ExecuteNoneQuery;
说:
System.Data.SqlClient.SqlException: Incorrect syntax near ','.
这里是部分c#代码:(相关部分)
SqlConnection connect = new SqlConnection(@"Data Source=(LocalDB)\MSSQLLocalDB;AttachDbFilename=C:\Users\thkiw\OneDrive\Documents\ilan.mdf;Integrated Security=True;Connect Timeout=30");
SqlCommand command = new SqlCommand("INSERT INTO profiles(userName , name , lastName , password , birthYear , birthMonth , birthDay , gender , email)" +
"VALUES(" + user_name + "," + name +"," + last_name + "," + password + "," +
year +","+ "," + month + "," + "day" + "," +
(gender ? "1": "0") +","+email + ")"
, connect); //GENDER is bit so 1 -true , 0 - false; (gender doesn't seem to convert automatically...)
int x = 0;
//try
{
connect.Open();
x = command.ExecuteNonQuery();
}
/*catch (SqlException exception)
{
Session["lastException"] = exception;
Session["source"] = "register.aspx";
Response.Redirect("handleExceptions.aspx");
}
catch (Exception exception)
{
Session["lastException"] = exception;
Session["source"] = "register.aspx";
Response.Redirect("handleExceptions.aspx");
}*/
connect.Close();
Response.Write("SUCCESS - number of rows affected : " + x);
这是表格架构
这是表格的代码:(个人资料)
CREATE TABLE [dbo].[profiles] (
[userName] NCHAR (10) NOT NULL,
[name] NCHAR (10) NULL,
[lastName] NCHAR (10) NULL,
[birthDay] INT NULL,
[birthMonth] INT NULL,
[birthYear] INT NULL,
[password] NCHAR (15) NULL,
[gender] BIT NOT NULL,
[email] NCHAR(20) NOT NULL,
PRIMARY KEY CLUSTERED ([userName] ASC)
);
答案 0 :(得分:4)
以下是如何处理将数据插入带参数的查询
的方法SqlCommand command = new SqlCommand(
"INSERT INTO profiles(userName, name, lastName, password, birthYear, birthMonth, birthDay, gender, email)" +
"VALUES(@userName, @name, @lastName, @password, @birthYear, @birthMonth, @birthDay, @gender, @email)"
, connect);
command.Parameters.Add("@userName", SqlDbType.NChar, 10).Value = user_name;
command.Parameters.Add("@name", SqlDbType.NChar, 10).Value = name;
command.Parameters.Add("@lastName", SqlDbType.NChar, 10).Value = last_name;
command.Parameters.Add("@password", SqlDbType.NChar, 10).Value = password;
command.Parameters.Add("@birthYear", SqlDbType.Int).Value = year;
command.Parameters.Add("@birthMonth", SqlDbType.Int).Value = month;
command.Parameters.Add("@birthDay", SqlDbType.Int).Value = day;
command.Parameters.Add("@gender", SqlDbType.Bit).Value = gender;
command.Parameters.Add("@email", SqlDbType.NChar, 10).Value = email;
这将避免sql注入并处理格式问题,例如DateTime的格式或需要varchar值周围的单引号。此外,它使查询更清晰,更容易发现问题,如月份和年份之间的两个连续逗号。
答案 1 :(得分:1)
您没有用单引号括起您的值。
但最好的方法是使用SQL参数。这可以防止这样的问题。 https://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlcommand.parameters(v=vs.110).aspx
这消除了诸如SQL注入之类的问题。这是最佳做法。
command.Parameters.AddWithValue("@userName", user_name);
command.Parameters.AddWithValue("@name", name);
command.Parameters.AddWithValue("@lastName", last_name);
command.Parameters.AddWithValue("@password", password);
command.Parameters.AddWithValue("@year", year);
command.Parameters.AddWithValue("@month", month);
command.Parameters.AddWithValue("@day", day);
command.Parameters.AddWithValue("@gender", gender ? "1" : "0");
command.Parameters.AddWithValue("@email", email);
SqlCommand command = new SqlCommand("INSERT INTO profiles(userName , name , lastName , password , birthYear , birthMonth , birthDay , gender , email) VALUES(@userName , @name , @lastName , @password , @birthYear , @birthMonth , @birthDay , @gender , @email)", connect);
答案 2 :(得分:0)
当你运行ExecuteNonQuery时,你正在调用命令commandText,在你的情况下是:
("INSERT INTO profiles(userName , name , lastName , password , birthYear , birthMonth , birthDay , gender , email)" +
"VALUES(" + user_name + "," + name +"," + last_name + "," + password + "," +
year +","+ "," + month + "," + "day" + "," +
(gender ? "1": "0") +","+email + ")"
, connect);
该错误表示无法处理您的查询,因为命令中有错误。并且,在该命令中,您有:
year +","+ "," + month +
连续插入两个逗号。它应该是:
year + "," + month +
要避免这种字符串连接地狱,您应该使用SqlCommandParameter个对象来配置命令。它还提供针对SQL注入攻击的内置保护。
答案 3 :(得分:-2)
通过以下方式更改sql命令:
SqlCommand command = new SqlCommand(“INSERT INTO profiles(userName,name,lastName,password,birthYear,birthMonth,birthDay,gender,email)”+ “VALUES('”+ user_name +“','”+ name +“','”+ last_name +'“,”'+ password +“',”+ 年+“,”+“,”+月+“,”+“日”+“,”+ (性别?“1”:“0”)+“,'”+ +电子邮件+“')”
, connect);
您忘记在“username”
等字符数据中添加单引号