请帮助从C＃中的文本框中找出此数据库更新语句的错误

Question

comm.CommandText =
        "UPDATE studbiodata([Registration Number], Surname, Othernames, Email,"
      + " Phone, Address, Sex, [Birth Date], Religion, [Marital Status],"
      + " [No. of Children], [Next of Kin], Relationship, [Next of Kin Address])"
      + "SET ([Registration Number] ='" + txtRegNo.Text
      + "', Surname = '" + txtSurname.Text
      + "', Othernames = '" + txtOthernames.Text
      + "', Email = '" + txtEmail.Text
      + "', Phone = '" + txtPhone.Text
      + "', Address = '" + txtMainAdd.Text
      + "', Sex = '" + txtSex.Text
      + "', [Birth Date]= '" + txtBirthDate.Text
      + "', Religion = '" + txtReligion.Text
      + "', [Marital Status]= '" + txtMarital.Text
      + "', [No.of Children] = '" + txtChildren.Text
      + "', [Next of Kin]= '" + txtKin.Text
      + "', Relationship ='" + txtRelationship.Text
      + "', [Next of Kin Address]= '" + txtKinAdd.Text
      + "' WHERE [Registration Number]= '" + txtRegNo.Text + "')";

尝试从网络表单更新后我收到的错误消息是：

 System.Data.SqlClient.SqlException (0x80131904): Incorrect syntax near '('. Incorrect syntax near the keyword 'SET'.
 at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection)
 at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection)
 at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning()
 at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)
 at System.Data.SqlClient.SqlCommand.RunExecuteNonQueryTds(String methodName, Boolean async)
 at System.Data.SqlClient.SqlCommand.InternalExecuteNonQuery(DbAsyncResult result, String methodName, Boolean sendToPipe)
 at System.Data.SqlClient.SqlCommand.ExecuteNonQuery()
 at Transcript.studentprofileedit.btnUpdate_Click(Object sender, EventArgs e)
 in C:\Users\Administrator.femzy-PC\Documents\Visual Studio 2010\Projects\Transcript Reloaded\Transcript\studentprofileedit.aspx.cs:line 119

Answer 1

我看到错误的第一件事是它是如何使您的网站易受SQL注入攻击的经典示例。这正是 NOT 使用用户输入编写sql语句的方式。

可能发生的事情是用户正在输入带有单引号（撇号）的内容，而且它正在弄乱声明。

https://www.owasp.org/index.php/SQL_injection

http://en.csharp-online.net/ASP.NET_Security_Hacks%E2%80%94Avoiding_SQL_Injection

使用带有参数的parameterized queries或存储过程作为绝对的第一步。这将消除由意外用户输入引起的错误（例如，“O'Connor”作为姓氏，会以这种方式编码的语句中导致错误）。 然后如果仍有问题，请返回查看声明。您可以使用用户输入（几乎每个程序都可以） - 您只需要安全地进行操作。

（最后编辑 - 一篇更好的文章）

http://www.codinghorror.com/blog/2005/04/give-me-parameterized-sql-or-give-me-death.html

Answer 2

语法错误，您不需要先指定列列表。

UPDATE studbiodatarital SET [Registration Number] ='“+ txtRegNo.Text +”'，Surname ='“+ txtSurname.Text +”'，Othernames ='“+ txtOthernames.Text +”'，Email ='“+ txtEmail.Text +“'，Phone ='”+ txtPhone.Text +“'，Address ='”+ txtMainAdd.Text +“'，Sex ='”+ txtSex.Text +“'，[出生日期] ='” + txtBirthDate.Text +“'，Religion ='”+ txtReligion.Text +“'，[Marital Status] ='”+ txtMarital.Text +“'，[No.of Children] ='”+ txtChildren.Text +“ '，[Next of Kin] ='“+ txtKin.Text +”'，Relationship ='“+ txtRelationship.Text +”'，[Kin Address的下一个] ='“+ txtKinAdd.Text +”'WHERE [注册号码] ='“+ txtRegNo.Text +”'）