OleDbException:INSERT INTO语句中的语法错误

时间:2017-05-27 12:06:22

标签: c# .net insert-into oledbcommand oledbexception

我得到了OleDbException:INSERT INTO语句中的语法错误。我认为我的INSERT INTO声明很好。参数具有良好的数据类型,因此它不是问题。有人可能知道问题是什么吗?

        OleDbCommand command = new OleDbCommand();
        command.Connection = conn;
        command.CommandType = CommandType.Text;
        command.CommandText = String.Format("INSERT INTO Employees" +
            " (ID, Company, Last Name, First Name, E-mail Address, Job Title, Business Phone, Home Phone" +
            ", Mobile Phone, Fax NUmber, Address, City, State/Province, ZIP/Postal Code, Country/Region, Web Page, Notes)" +
            " Values ('{0}', '{1}','{2}','{3}','{4}','{5}'," +
            "'{6}','{7}','{8}','{9}','{10}','{11}','{12}','{13}','{14}','{15}','{16}')", iD,kompanija,prezime,ime,email,
           zvanje,busTelefon,telefon,mobTelefon,fax,adresa,grad,okrug,postanskiBroj,zemlja,web,beleska);               zvanje,busTelefon,telefon,mobTelefon,fax,adresa,grad,okrug,postanskiBroj,zemlja,web,beleska);

        conn.Open();
        command.ExecuteNonQuery();
        conn.Close();

错误讯息: enter image description here

UDATE SQL:

        OleDbCommand command = new OleDbCommand();
        command.Connection = conn;
        command.CommandType = CommandType.Text;
        string cmdText = String.Format(@"UPDATE TABLE Employees " +
                        "SET" +
                        " Company='" + kompanija + "'," +
                        " [Last Name]='" + prezime + "'," +
                        " [First Name]='" + ime + "'," +
                        " [E-mail Address]='" + email + "' ," +
                        " [Job Title]='" + zvanje +"'," +
                        " [Business Phone]='" + busTelefon + "'," +
                        " [Home Phone]='" + telefon + "'," +
                        " [Mobile Phone]='" + mobTelefon + "'," +
                        " [Fax Number]='" + fax + "'," +
                        " Address='" + adresa + "'," +
                        " City='" + grad + "'," +
                        " [State/Province]='" + okrug + "'," +
                        " [ZIP/Postal Code]='" + postanskiBroj + "'," +
                        " [Country/Region]='" + zemlja + "'," +
                        " [Web Page]='" + web + "'," +
                        " Notes='" + beleska + "' WHERE ID="+iD);
        command.CommandText = cmdText;

        conn.Open();
        command.ExecuteNonQuery();
        conn.Close();

这个SQL不起作用。像以前一样的错误。

1 个答案:

答案 0 :(得分:2)

如果您的字段名称包含空格或其他误导字符,例如/(除法运算符),则需要将它们括在方括号中

  ion-scroll[scrollX] {
    white-space: nowrap;
    height: 120px;
    overflow: hidden;

    .scroll-item {
      display: inline-block;
    }

    .selectable-icon{
      margin: 10px 20px 10px 20px;
      color: red;
      font-size: 100px;
    }

    ion-avatar img{
      margin: 10px;
    }
  }

  ion-scroll[scroll-avatar]{
    height: 60px;
  }

  /* Hide ion-content scrollbar */
  ::-webkit-scrollbar{
    display:none;
  }

此外,您还没有在查询中使用参数。 String.Format只是另一种类型的字符串连接,无法通过无效输入保护您(例如,尝试在lastname值中使用单引号)并且无法保存Sql Injection vulnerability中的代码。

您应始终使用参数化查询

 string cmdText = @"INSERT INTO Employees
                  (ID, Company, [Last Name], [First Name], [E-mail Address],
                   .., [State/Province], ....) VALUES (....)";
相关问题
最新问题