c＃sqlite错误抛出isSQLite错误1：'near'失败“：语法错误'

Question

循环遍历一个字符串数组，将它们插入到sqlite数据库但是失败

   public static bool SavePermissions(String[] permissions)
    {
        try
        {
          using (SqliteConnection db = new SqliteConnection("Filename="+ shared.AppDetails.dbname))
            {
                db.Open();
                SqliteCommand insertCommand = new SqliteCommand();
                insertCommand.Connection = db;
                String tableCommand = "CREATE TABLE IF NOT EXISTS " + _permissiontbl + " (id INTEGER PRIMARY KEY AUTOINCREMENT, user_perm NVARCHAR(2048) UNIQUE)";
                SqliteCommand createTable = new SqliteCommand(tableCommand, db);

                try
                {
                    createTable.ExecuteReader();
                    deletePermissions();
                     foreach (String i in permissions)
                    {
                        var sql = "insert into " + _permissiontbl + " (user_perm) values ("+ i +")";
                        SqliteCommand command = new SqliteCommand(sql, db);
                        command.ExecuteNonQuery();
                    }


                }
                catch (SqliteException exp)
                {
                    //Handle error
                    Debug.WriteLine("sqlite error thrown is"+exp.Message);
                }
                db.Close();
            }

        }
        catch(Exception exp)
        {
            Debug.WriteLine(exp.Message);
        }

THE ABOVE抛出错误

抛出sqlite错误isSQLite错误1：'near'失败“：语法错误'。

我在哪里错了，因为我只是循环一个字符串数组并逐个保存它们？

Answer 1

您在发送到数据库的字符串周围缺少单个刻度。

var sql = "insert into " + _permissiontbl + " (user_perm) values ('" + i + "')";

Per @ DangerZone的建议，我确实认为你应该参数化你的查询。

Per @ Rahul的建议，以下是参数化查询的示例：

var sql = "insert into " + _permissiontbl + " (user_perm) values (@perm)";
SQLiteCommand command = new SQLiteCommand(sql, db);
command.Parameters.Add(new SQLiteParameter("@perm", i));
command.ExecuteNonQuery();