Question

public static string storeAvatar(string avatar, string gender, string species, int playerforeignkey )
{ 
    try
    {
        OleDbConnection myConnection = GetConnection();
        OleDbCommand dbCommand = new OleDbCommand();

        dbCommand.CommandText = "INSERT INTO AVATARS ([AVATAR_ID],[AVATAR],[DOB],[STRENGTH],[GENDER],[HOARD],[SPECIES], [METAMORPHOSED], [COST],[PLAYERID_FK]) values (?,?,?,?,?,?,?,?,?,?)"; // command to get high score data
        dbCommand.Parameters.AddWithValue("@id", "AVATARS_SEQ.NEXTVAL");
        dbCommand.Parameters.AddWithValue("@avatar", avatar);
        dbCommand.Parameters.AddWithValue("@date", "TO_CHAR(" + DateTime.Now.ToString("dd/mm/yyyy")+")");
        dbCommand.Parameters.AddWithValue("@strength", 0);
        dbCommand.Parameters.AddWithValue("@gender", gender);
        dbCommand.Parameters.AddWithValue("@hoard", 0);
        dbCommand.Parameters.AddWithValue("@species", species);
        dbCommand.Parameters.AddWithValue("@meta", 0);
        dbCommand.Parameters.AddWithValue("@cost", 0);
        dbCommand.Parameters.AddWithValue("@playerfk", playerforeignkey);
        dbCommand.Connection = myConnection;
        myConnection.Open();
        dbCommand.ExecuteNonQuery();
        myConnection.Close();
    }
    catch (Exception ex)
    {

    }
    return "ERROR";
}

异常错误说我需要错过SELECT个关键字，但我希望INSERT不是SELECT。

EXCEPTION =“处理期间发生了一个或多个错误命令。\ r \ n \ nORA-00928：缺少SELECT关键字“

Answer 1

首先，更新命令文本以使用实际参数名称，其次使用参数的目的也是为了避免尝试使用参数进行SQL注入。

不需要@id参数，因为该值可以像TO_CHAR函数一样直接放入字符串。

//..other code removed for brevity
dbCommand.CommandText = "INSERT INTO AVATARS ([AVATAR_ID],[AVATAR],[DOB],[STRENGTH],[GENDER],[HOARD],[SPECIES], [METAMORPHOSED], [COST],[PLAYERID_FK]) VALUES (AVATARS_SEQ.NEXTVAL,@avatar,TO_CHAR(@date),@strength,@gender,@hoard,@species,@meta,@cost,@playerfk)";
dbCommand.Parameters.AddWithValue("@avatar", avatar);
dbCommand.Parameters.AddWithValue("@date", DateTime.Now.ToString("dd/mm/yyyy"));
dbCommand.Parameters.AddWithValue("@strength", 0);
dbCommand.Parameters.AddWithValue("@gender", gender);
dbCommand.Parameters.AddWithValue("@hoard", 0);
dbCommand.Parameters.AddWithValue("@species", species);
dbCommand.Parameters.AddWithValue("@meta", 0);
dbCommand.Parameters.AddWithValue("@cost", 0);
dbCommand.Parameters.AddWithValue("@playerfk", playerforeignkey);
//..other code removed for brevity

事实上，我甚至建议将所有常量值直接放入查询中，并将参数减少到预期经常更改的值。

例如

//..other code removed for brevity
dbCommand.CommandText = "INSERT INTO AVATARS ([AVATAR_ID],[AVATAR],[DOB],[STRENGTH],[GENDER],[HOARD],[SPECIES], [METAMORPHOSED], [COST],[PLAYERID_FK]) 
VALUES (AVATARS_SEQ.NEXTVAL,@avatar,TO_CHAR(@date),0,@gender,0,@species,0,0,@playerfk)";
dbCommand.Parameters.AddWithValue("@avatar", avatar);
dbCommand.Parameters.AddWithValue("@date", DateTime.Now.ToString("dd/mm/yyyy"));
dbCommand.Parameters.AddWithValue("@gender", gender);
dbCommand.Parameters.AddWithValue("@species", species);
dbCommand.Parameters.AddWithValue("@playerfk", playerforeignkey);
//..other code removed for brevity

为什么我在数据库插入命令上出现异常错误？

1 个答案: