sqlite3查询C＃中的异常

Question

下面是我将数据插入sqlite3数据库的代码，表名和查询似乎正确，但是每当我插入数据时都会出现异常。

        query = "INSERT INTO Order (Name, Quantity, SUPrice, Desc, Total, Paid, Remain) VALUES ( '" + orderDto.Name + "', '" + orderDto.Quantity + "', '" + orderDto.SUPrice + "', '" + orderDto.Description + "', '" + orderDto.Total + "', '" + orderDto.Paid + "', '" + orderDto.Remaining  + "')";
        connection.Open();
        command = new SQLiteCommand(query, connection);
        command.ExecuteNonQuery();
        connection.Close();

Answer 1

您可以尝试用双引号order来转义"，因为order是关键字。

但是您的代码SQL-injection中存在问题。

我将使用参数而不是connecte SQL字符串。

query = "INSERT INTO \"Order\" (Name, Quantity, SUPrice, Desc, Total, Paid, Remain) VALUES (@Name,@Quantity,@SUPrice,@Description,@Total,@Paid,@Remain)"
connection.Open();
command = new SQLiteCommand(query, connection);
command.Parameters.Add(new SQLiteParameter("@Name", orderDto.Name);
command.Parameters.Add(new SQLiteParameter("@Quantity", orderDto.Quantity));
command.Parameters.Add(new SQLiteParameter("@SUPrice" , orderDto.SUPrice));
command.Parameters.Add(new SQLiteParameter("@Description" , orderDto.Description));
command.Parameters.Add(new SQLiteParameter("@Total", orderDto.Total));
command.Parameters.Add(new SQLiteParameter("@Paid" , orderDto.Paid));
command.Parameters.Add(new SQLiteParameter("@Remain" , orderDto.Remaining));
command.ExecuteNonQuery();
connection.Close();

Answer 2

我建议对数据库查询使用string.Format，它不会太杂乱。

query = string.Format("INSERT INTO Order (Name, Quantity, SUPrice, Desc, Total, Paid, Remain) VALUES ( '{0}', '{1}', '{2}', '{3}', '{3}', '{4}', '{5}')", orderDto.Name, orderDto.Quantity, orderDto.SUPrice, orderDto.Description, orderDto.Total, orderDto.Paid, orderDto.Remaining);

也可以尝试在数据库浏览器中查询SQLite，可以先测试查询，然后再将其放入代码中。 http://sqlitebrowser.org/