[英]Syntax error in INSERT INTO statement
I am writing the following code in my C-Sharp Form Application and its giving me the following error. 我正在C-Sharp表单应用程序中编写以下代码,它给了我以下错误。
> Syntax error in INSERT INTO statement.
OleDbCommand cmd =
new OleDbCommand(
"Insert into Info (username, password) Values ('"
+ username
+ "', '"
+ password
+ "')"
, conn
);
The word PASSWORD is a reserved keyword. 密码一词是保留的关键字。 To use it you should enclose the string in square brackets 要使用它,您应该将字符串用方括号括起来
OleDbCommand cmd = new OleDbCommand("Insert into Info (username, [password]) Values ('" + username + "', '" + password + "')", conn);
And please, please, do not use string concatenation to build sql statements. 而且,请不要使用字符串连接来构建sql语句。 It is a very bad practice that leads to other syntax errors (username or password with single quotes) or worst to a sql injection Attacks. 这是一种非常糟糕的做法,它会导致其他语法错误(用户名或密码带有单引号),或者导致更严重的sql注入攻击。 Take a look here to what could happen if you have a smart and malicious user 看看这里 ,如果您有一个聪明而恶意的用户,将会发生什么
OleDbCommand cmd = new OleDbCommand("Insert into Info (username, [password]) Values (?,?)", conn);
cmd.Parameters.AddWithValue("@p1", username);
cmd.Parameters.AddWithValue("@p2", password);
cmd.ExecuteNonQuery();
You need to bracket off password
. 您需要将password
括起来。 It's a reserved word . 这是一个保留字 。
OleDbCommand cmd =
new OleDbCommand("Insert into Info (username, [password]) Values ('" + username + "', '" + password + "')", conn);
Maybe there's an illegal character (such as a single quote) within the username or password variables. 用户名或密码变量中可能存在非法字符(例如单引号)。 Make sure they're sanitized. 确保它们已消毒。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.