新的mysql错误:
ERROR [42000] [MySQL][ODBC 3.51 Driver][mysqld-5.5.9]You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'System.Data.Odbc.OdbcCommand' at line 1
我之前从未见过这个错误,也不知道它与之有什么关系?
using (OdbcConnection connection = new OdbcConnection("Driver={MySQL ODBC 3.51 Driver}; Server=localhost; Database=gymwebsite2; User=root; Password=fakepass;"))
{
// ODBC command and transaction objects
OdbcCommand command = new OdbcCommand();
OdbcTransaction transaction = null;
// tell the command to use our connection
command.Connection = connection;
try
{
// open the connection
connection.Open();
// start the transaction
transaction = connection.BeginTransaction();
// Assign transaction object for a pending local transaction.
command.Connection = connection;
command.Transaction = transaction;
// TODO: Build a SQL INSERT statement
OdbcCommand cmd = new OdbcCommand("INSERT INTO User (Email, FirstName, SecondName, DOB, Location, Aboutme, username, password) VALUES ('" + TextBox1.Text + "', '" + TextBox2.Text + "', '" + TextBox3.Text + "', '" + TextBox4.Text + "', '" + TextBox5.Text + "', '" + TextBox6.Text + "', '" + TextBox7.Text + "', '" + TextBox8.Text + "')", connection);
// run the insert using a non query call
command.CommandText = cmd.ToString();
command.ExecuteNonQuery();
/* now we want to make a second call to MYSQL to get the new index
value it created for the primary key. This is called using scalar so it will
return the value of the SQL statement. We convert that to an int for later use.*/
command.CommandText = "select last_insert_id();";
int id = Convert.ToInt32(command.ExecuteScalar());
Label10.Text = Convert.ToString(id);
// the name id doesnt not exist in the current context
// Commit the transaction.
transaction.Commit();
}
catch (Exception ex)
{
Label10.Text = ": " + ex.Message;
try
{
// Attempt to roll back the transaction.
transaction.Rollback();
}
catch
{
// Do nothing here; transaction is not active.
}
}
}
修改
using (var conn = new OdbcConnection("Driver={MySQL ODBC 3.51 Driver}; Server=localhost; Database=gymwebsite2; User=root; Password=fakepass;"))
{
conn.Open();
using (var tx = conn.BeginTransaction())
{
using (var cmd = conn.CreateCommand())
{
cmd.CommandText = "INSERT INTO User (Email, FirstName, SecondName, DOB, Location, Aboutme, username, password) VALUES (@Email, @FirstName, @SecondName, @DOB, @Location, @Aboutme, @username, @password)";
cmd.Parameters.AddWithValue("@Email", TextBox1.Text);
cmd.Parameters.AddWithValue("@FirstName", TextBox2.Text);
cmd.Parameters.AddWithValue("@SecondName", TextBox3.Text);
// TODO: might require a parsing if the column is of type date in SQL
cmd.Parameters.AddWithValue("@DOB", TextBox4.Text);
cmd.Parameters.AddWithValue("@Location", TextBox5.Text);
cmd.Parameters.AddWithValue("@Aboutme", TextBox6.Text);
cmd.Parameters.AddWithValue("@username", TextBox7.Text);
cmd.Parameters.AddWithValue("@password", TextBox8.Text);
cmd.ExecuteNonQuery();
//error on this line
}
using (var cmd = conn.CreateCommand())
{
cmd.CommandText = "select last_insert_id();";
int id = Convert.ToInt32(cmd.ExecuteScalar());
Label10.Text = Convert.ToString(id);
}
tx.Commit();
}
}
{“当分配给命令的连接处于挂起的本地事务中时,ExecuteNonQuery要求命令具有事务。该命令的Transaction属性尚未初始化。”}
答案 0 :(得分:8)
为什么在ADO.NET connector时仍然使用错误的ODBC连接到MySql?在形成查询时,这个可怕的字符串连接是什么?:
OdbcCommand cmd = new OdbcCommand("INSERT INTO User (Email, FirstName, SecondName, DOB, Location, Aboutme, username, password) VALUES ('" + TextBox1.Text + "', '" + TextBox2.Text + "', '" + TextBox3.Text + "', '" + TextBox4.Text + "', '" + TextBox5.Text + "', '" + TextBox6.Text + "', '" + TextBox7.Text + "', '" + TextBox8.Text + "')", connection);
您是否听说过SQL injection和parametrized queries可以避免它?
我只能说,如果你在编写SQL查询时使用+
符号,就像拿枪一样射击你的脚(或根据场景拍摄,但在所有情况下你都在拍摄)在你自己,基本上是一种自杀行为)。
所以,这是正确的做事方式:
using (var conn = new MySqlConnection("Server=localhost; Database=gymwebsite2; User=root; Password=commando;"))
{
conn.Open();
using (var tx = conn.BeginTransaction())
{
using (var cmd = conn.CreateCommand())
{
cmd.CommandText = "INSERT INTO User (Email, FirstName, SecondName, DOB, Location, Aboutme, username, password) VALUES (@Email, @FirstName, @SecondName, @DOB, @Location, @Aboutme, @username, @password)";
cmd.Parameters.AddWithValue("@Email", TextBox1.Text);
cmd.Parameters.AddWithValue("@FirstName", TextBox2.Text);
cmd.Parameters.AddWithValue("@SecondName", TextBox3.Text);
// TODO: might require a parsing if the column is of type date in SQL
cmd.Parameters.AddWithValue("@DOB", TextBox4.Text);
cmd.Parameters.AddWithValue("@Location", TextBox5.Text);
cmd.Parameters.AddWithValue("@Aboutme", TextBox6.Text);
cmd.Parameters.AddWithValue("@username", TextBox7.Text);
cmd.Parameters.AddWithValue("@password", TextBox8.Text);
cmd.ExecuteNonQuery();
}
using (var cmd = conn.CreateCommand())
{
cmd.CommandText = "select last_insert_id();";
int id = Convert.ToInt32(cmd.ExecuteScalar());
Label10.Text = Convert.ToString(id);
}
tx.Commit();
}
}
另请为这些文本框命名。那个维护这段代码的穷人可能会发出绝望的尖叫声。