DataAdapter.Fill语法错误
[英]DataAdapter.Fill syntax error
问题描述
So, 
所以,
Trying to write a very simple method to update a single column in a database. 尝试编写一种非常简单的方法来更新数据库中的单个列。 I keep getting a runtime error of "Syntax Error" near the commented line below 我在下面的注释行附近不断收到“语法错误”的运行时错误
public void SaveStatus(string id, string step)
{
// assuming that there is only one matching student ID
connect = new SqlConnection(connectionString);
connect.Open();
dataSet = new DataSet();
string command = "SELECT * FROM tblSubmissions WHERE Id = " + id;
dataAdapter = new SqlDataAdapter(command, connect);
dataAdapter.Fill(dataSet, "tblSubmissions"); // syntax error near here
dataSet.Tables[0].Rows[0]["StatusID"] = step;
dataAdapter.Update(dataSet, "tblSubmissions");
dataAdapter.Dispose();
connect.Close();
connect.Dispose();
}
Hoping someone can point out the obvious problem I'm missing 希望有人可以指出我所缺少的明显问题
1 个解决方案
解决方案1
3 已采纳 2013-10-18 18:21:51
The query should be "SELECT * FROM tblSubmissions WHERE Id = 'id_value' - you're missing the quotes around the id value. 查询应为"SELECT * FROM tblSubmissions WHERE Id = 'id_value'您缺少id值周围的引号。
Use a parametrised query instead of string concatenation to fix your problem and get rid of the SQL injection issue: 使用参数化查询而不是字符串连接来解决问题并摆脱SQL注入问题:
SqlCommand cmd = new SqlCommand("SELECT * FROM tblSubmissions WHERE Id = @id" , connect);
cmd.Parameters.Add("@id", SqlDbType.UniqueIdentifier);
cmd.Parameters["@id"].Value = id;
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.