SQL查询错误:“#”附近的语法不正确?
[英]SQL query error :Incorrect Syntax Near “#”?
问题描述
When I try to execute this SQL query: 
当我尝试执行此SQL查询时:
savInto.CommandText = "update onCommands set warnDate =#" & movDate.Value.ToString("MM/dd/yyyy")
& "#,updateDate =#" & Date.Now.ToShortDateString
& "#,transportCompany ='" & Trim(Company.Text)
& "' where ID =" & moveID
I get this error: 我收到此错误:
Incorrect syntax near '#'
2 个解决方案
解决方案1
4 已采纳 2013-11-29 13:36:59
Well the main problem is that you're trying to provide the parameter as part of the SQL itself. 好吧,主要的问题是您试图提供参数作为SQL本身的一部分。 While there are ways of doing that (use an apostrophe rather than # ), it's generally a bad idea: 尽管有很多方法可以做到(使用撇号而不是# ),但这通常是一个坏主意:
- It invites SQL injection attacks when used with arbitrary strings 与任意字符串一起使用时会引发SQL注入攻击
- It makes it harder to read the code 这使得阅读代码更加困难
- It introduces unnecessary string conversions 它引入了不必要的字符串转换
Instead, you should use parameterized SQL and specify the value for the parameter. 相反,您应该使用参数化的SQL并指定参数的值。 Something like: 就像是:
savInto.CommandText = "update onCommands set warnDate = @warnDate" &
", updateDate = @updateDate, transportCompany = @transportCompany" &
" where ID=@moveID"
savInto.Parameters.Add("@warnDate", SqlDbType.DateTime).Value = movDate
savInto.Parameters.Add("@updateDate", SqlDbType.DateTime).Value = Date.Now
savInto.Parameters.Add("@transportCompany", SqlDbType.NVarChar).Value = Trim(Company.Text)
savInto.Parameters.Add("@moveID", SqlDbType.NVarChar).Value = moveID
解决方案2
1 2013-11-29 13:38:39
Why are you using # character? 为什么使用#字符? What database are you using (sql server, oracle, mysql...) 您正在使用什么数据库(SQL Server,Oracle,MySQL ...)
Try this: 尝试这个:
savInto.CommandText = "update onCommands set warnDate ='" & movDate.Value.ToString("MM/dd/yyyy") & "',updateDate ='" & Date.Now.ToShortDateString & "',transportCompany ='" & Trim(Company.Text) & "' where ID =" & moveID
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.