消息:'ID'附近的语法不正确

时间:2017-02-16 09:56:28

标签: c# sql syntax-error

我可以问为什么弹出的消息会弹出ID附近的错误吗?我找不到解决方法。单击按钮后,它会弹出此消息。

  

消息: “ID”附近的语法错误

public override bool fnSaveNewRecord()
{
    DataSet _ds;
    string _sql;
    object _obj;

    _sql = "INSERT INTO do_information(die_class_code,subinvetory_code,contact_code,company_code, " +
           "corg_code,created_on,created_by) " +
           "VALUES '" + txt_CodeID.Text.Trim() + "','" + cbx_SubInventoryCode.Text + "'," + 
           "'" + cbx_ContactCode.Text + "','" + cbx_CompanyCode.Text + "','" + cbx_CorgCode.Text + "','" +
           "',GETDATE(),'" + App_Common._USER_CODE + "'";

    _ds = new DataSet();
    _obj = new SqlDatabase(App_Common._WSFCSConnStr) as SqlDatabase;
    _ds = ((SqlDatabase)_obj).ExecuteDataSetQ(_sql);

    return base.fnSaveNewRecord();
}

3 个答案:

答案 0 :(得分:3)

尝试使用此查询:

_sql = "INSERT INTO do_information(die_class_code,subinvetory_code,contact_code,company_code, " +
                "corg_code,created_on,created_by) " +
                "VALUES( '" + txt_CodeID.Text.Trim() + "','" + cbx_SubInventoryCode.Text + "'," + 
                "'" + cbx_ContactCode.Text + "','" + cbx_CompanyCode.Text + "','" + cbx_CorgCode.Text + "','" +
                "',GETDATE(),'" + App_Common._USER_CODE + "'"+ "')'";

您错过了使用Values(v1,v2)的括号作为@Peter B评论 查看this link以获取SQL insert语句的参考。

使用参数化查询总是比串联字符串更好,因为它容易受到SQL注入攻击。
Here是使用参数化查询的参考。

希望这有帮助!

答案 1 :(得分:3)

您的SQL语句错误,因为值的括号丢失。

代码非常混乱,很难看到第一眼。因此,您最好使用参数来创建一个更简洁的语句,您可以轻松阅读并检查语法错误:

INSERT INTO do_information 
    ( die_class_code, subinventory_code, contact_code, company_code, corg_code, created_on, created_by ) 
VALUES 
    ( @CodeId, @SubInventoryCode, @ContactCode, @CompanyCode, @CorgCode, GETDATE(), @UserCode )

但你甚至可以做更多的事情来清理这些代码。包裹所有查询。这是你的陈述的一个例子:

从一些可重用的基本声明开始

public interface IExecuteQuery
{
    int Execute();
    Task<int> ExecuteAsync( CancellationToken cancellationToken );
}

public abstract class SqlExecuteQuery : IExecuteQuery
{
    private readonly DbConnection _connection;
    private readonly Lazy<DbCommand> _command;

    protected SqlExecuteQuery( DbConnection connection )
    {
        if ( connection == null )
            throw new ArgumentNullException( nameof( connection ) );
        _connection = connection;
        _command = new Lazy<DbCommand>(
            () =>
            {
                var command = _connection.CreateCommand( );
                PrepareCommand( command );
                return command;
            } );
    }

    protected abstract void PrepareCommand( DbCommand command );

    protected DbCommand Command => _command.Value;

    protected virtual string GetParameterNameFromPropertyName( string propertyName )
    {
        return "@" + propertyName;
    }

    protected T GetParameterValue<T>( [CallerMemberName] string propertyName = null )
    {
        object value = Command.Parameters[ GetParameterNameFromPropertyName( propertyName ) ].Value;
        if ( value == DBNull.Value )
        {
            value = null;
        }
        return (T) value;
    }

    protected void SetParamaterValue<T>( T newValue, [CallerMemberName] string propertyName = null )
    {
        object value = newValue;
        if ( value == null )
        {
            value = DBNull.Value;
        }
        Command.Parameters[ GetParameterNameFromPropertyName( propertyName ) ].Value = value;
    }

    protected virtual void OnBeforeExecute() { }

    public int Execute()
    {
        OnBeforeExecute( );
        return Command.ExecuteNonQuery( );
    }

    public async Task<int> ExecuteAsync( CancellationToken cancellationToken )
    {
        OnBeforeExecute( );
        return await Command.ExecuteNonQueryAsync( cancellationToken );
    }
}

public static class DbCommandExtensions
{
    public static DbParameter AddParameter( this DbCommand command, Action<DbParameter> configureAction )
    {
        var parameter = command.CreateParameter( );
        configureAction( parameter );
        command.Parameters.Add( parameter );
        return parameter;
    }
}

现在为你的陈述定义一个接口

public interface IInsertInformationQuery : IExecuteQuery
{
    string CodeId { get; set; }
    string SubInventoryCode { get; set; }
    string ContactCode { get; set; }
    string CompanyCode { get; set; }
    string CorgCode { get; set; }
    string UserCode { get; }
}

实施

public class SqlInsertInformationQuery : SqlExecuteQuery, IInsertInformationQuery
{
    public SqlInsertInformationQuery( DbConnection connection ) : base( connection )
    {
    }

    protected override void OnBeforeExecute()
    {
        UserCode = App_Common._USER_CODE; // this should be injected
    }

    protected override void PrepareCommand( DbCommand command )
    {
        command.CommandText =
            @"INSERT INTO do_information ( die_class_code, subinventory_code, contact_code, company_code, corg_code, created_on, created_by ) " +
            @"VALUES ( @CodeId, @SubInventoryCode, @ContactCode, @CompanyCode, @CorgCode, GETDATE(), @UserCode )";

        command.AddParameter( p =>
        {
            p.ParameterName = "@CodeId";
            p.DbType = System.Data.DbType.String;
            p.Direction = System.Data.ParameterDirection.Input;
        } );
        command.AddParameter( p =>
        {
            p.ParameterName = "@SubInventoryCode";
            p.DbType = System.Data.DbType.String;
            p.Direction = System.Data.ParameterDirection.Input;
        } );
        command.AddParameter( p =>
        {
            p.ParameterName = "@ContactCode";
            p.DbType = System.Data.DbType.String;
            p.Direction = System.Data.ParameterDirection.Input;
        } );
        command.AddParameter( p =>
        {
            p.ParameterName = "@CompanyCode";
            p.DbType = System.Data.DbType.String;
            p.Direction = System.Data.ParameterDirection.Input;
        } );
        command.AddParameter( p =>
        {
            p.ParameterName = "@CorgCode";
            p.DbType = System.Data.DbType.String;
            p.Direction = System.Data.ParameterDirection.Input;
        } );
        command.AddParameter( p =>
        {
            p.ParameterName = "@UserCode";
            p.DbType = System.Data.DbType.String;
            p.Direction = System.Data.ParameterDirection.Input;
        } );
    }

    public string CodeId
    {
        get => GetParameterValue<string>( );
        set => SetParamaterValue( value );
    }
    public string SubInventoryCode
    {
        get => GetParameterValue<string>( );
        set => SetParamaterValue( value );
    }
    public string ContactCode
    {
        get => GetParameterValue<string>( );
        set => SetParamaterValue( value );
    }
    public string CompanyCode
    {
        get => GetParameterValue<string>( );
        set => SetParamaterValue( value );
    }
    public string CorgCode
    {
        get => GetParameterValue<string>( );
        set => SetParamaterValue( value );
    }

    public string UserCode
    {
        get => GetParameterValue<string>( );
        private set => SetParamaterValue( value );
    }

}

最后你的代码看起来像

public override bool fnSaveNewRecord()
{
    var database = new SqlDatabase(App_Common._WSFCSConnStr);
    using ( var connection = database.CreateConnection() )
    {
        connection.Open();
        IInsertInformationQuery query = new SqlInserInformationQuery( connection );

        query.CodeId = txt_CodeID.Text.Trim();
        query.SubInventoryCode = cbx_SubInventoryCode.Text;
        query.ContactCode = cbx_ContactCode.Text;
        query.CompanyCode = cbx_CompanyCode.Text;
        query.CorgCode = cbx_CorgCode.Text;

        var recordsAffected = query.Execute();
    }
    return base.fnSaveNewRecord();
}

答案 2 :(得分:0)

您的SQL查询错误:

  _sql = "INSERT INTO do_information(die_class_code,subinvetory_code,contact_code,company_code, " +
                "corg_code,created_on,created_by) " +
                "VALUES ('" + txt_CodeID.Text.Trim() + "','" + cbx_SubInventoryCode.Text + "'," + 
                "'" + cbx_ContactCode.Text + "','" + cbx_CompanyCode.Text + "','" + cbx_CorgCode.Text + "','" +
                "',GETDATE(),'" + App_Common._USER_CODE + "')";

您的值必须放在括号中。看看这个:

https://www.w3schools.com/sql/sql_insert.asp