使用ExecuteNonQuery插入记录,显示无效列名的异常

时间:2011-01-11 04:16:40

标签: c# sql-server-2008

我正在使用SQL Server 2008。

我想使用ExecuteNonQuery将记录插入到表中,因为我写了:

customUtility.ExecuteNonQuery("insert into furniture_ProductAccessories(Product_id, Accessories_id, SkuNo, Description1, Price, Discount) values(" + prodid + "," + strAcc + "," + txtSKUNo.Text + "," + txtAccDesc.Text + "," + txtAccPrices.Text + "," + txtAccDiscount.Text + ")");

&安培;以下是ExecuteNonQuery函数:

    public static bool ExecuteNonQuery(string SQL)
    {
        bool retVal = false;

        using (SqlConnection con = new SqlConnection(System.Web.Configuration.WebConfigurationManager.ConnectionStrings["dbConnect"].ToString()))
        {
            con.Open();
            SqlTransaction trans = con.BeginTransaction();
            SqlCommand command = new SqlCommand(SQL, con, trans);
            try
            {
                command.ExecuteNonQuery();
                trans.Commit();
                retVal = true;
            }
            catch(Exception ex)
            {
                //HttpContext.Current.Response.Write(SQL + "<br>" + ex.Message);
                //HttpContext.Current.Response.End();
            }
            finally
            {
                // Always call Close when done reading.
                con.Close();
            }
            return retVal;
        }
    }

但它显示 Description1 的无效列名的异常,甚至是来自txtAccDesc.Text的值。我尝试删除Description1列,其他记录已成功插入。

1 个答案:

答案 0 :(得分:5)

我的通灵调试功能告诉我您正在将值Description1输入文本框txtAccDesc。连接SQL字符串时无法分隔文字值。

e.g。 

"," + txtAccDesc.Text + "," +

应该是

", '" + txtAccDesc.Text + "', " +

然而,这是一个糟糕的解决方案,因为它打开了SQL注入攻击(更不用说你需要处理文字中的引号和逗号)你应该使用{{3}而不是。

e.g。 (用记事本写的警告,可能无法编译)

string SQL = "insert into furniture_ProductAccessories(Product_id,Accessories_id,SkuNo,Description1,Price,Discount) values(@Product_id,@Accessories_id,@SkuNo,@Description1,@Price,@Discount)"

SqlParameters[] parameters = new SQLParameters[6];
parameters[0] = new SqlParameter("@Product_id", SqlDbType.Int, prodid );
parameters[1] = new SqlParameter("@Accessories_id", SqlDbType.VarChar, strAcc );
parameters[2] = new SqlParameter("@SkuNo", SqlDbType.VarChar, txtSKUNo);
parameters[3] = new SqlParameter("@Description1", SqlDbType.VarChar, txtAccDesc.Text);
parameters[4] = new SqlParameter("@Price", SqlDbType.Money, txtAccPrices.Text);
parameters[5] = new SqlParameter("@Discount", SqlDbType.Money, txtAccDiscount.Text);

customUtility.ExecuteNonQuery(sql, paramters)

public static bool ExecuteNonQuery(string SQL, SqlParameters[] parameters)
{
    bool retVal = false;

    using (SqlConnection con = new SqlConnection(System.Web.Configuration.WebConfigurationManager.ConnectionStrings["dbConnect"].ToString()))
    {
        con.Open();
        SqlTransaction trans = con.BeginTransaction();
        SqlCommand command = new SqlCommand(SQL, con, trans);
        cmd.parameters.AddRange(parameters);
        try
        {
            command.ExecuteNonQuery();
            trans.Commit();
            retVal = true;
        }
        catch(Exception ex)
        {
            //HttpContext.Current.Response.Write(SQL + "<br>" + ex.Message);
            //HttpContext.Current.Response.End();
        }
        // finally
        //{
            //Always call Close when done reading.
            //con.Close(); Using already does this, so need for this
        //}
        return retVal;
    }
}
相关问题
最新问题