[英]Syntax error in query expression
string q = "UPDATE tableAbsensi SET Absen_keluar =('"+(DateTime.Now.ToString("hh:mm"))+"') WHERE ID ='"+ idkaryawantxt.Text.ToString() + "' AND Tanggal ='" + (DateTime.Now.ToString("MM-dd-yyyy"));
I think I have error in my syntax, can you guys help me? 我认为我的语法有误,您能帮我吗? Thanks
谢谢
here's the picture of error : http://sadpanda.us/images/1889033-X8SIZZN.jpg 这是错误的图片: http : //sadpanda.us/images/1889033-X8SIZZN.jpg
It looks like you're missing a quote. 您好像错过了报价。 This:
这个:
AND Tanggal ='" + (DateTime.Now.ToString("MM-dd-yyyy"));
should probably be 应该是
AND Tanggal ='" + (DateTime.Now.ToString("MM-dd-yyyy") + "');
But you really should use parameters instead to prevent errors like these and also SQL injection . 但是您确实应该使用参数来防止此类错误以及SQL注入 。
You should never use string concatenations in your sql queries. 您绝对不要在sql查询中使用字符串连接。 Always use parameterized queries .
始终使用参数化查询 。 This kind of string concatenations are open for SQL Injection attacks.
这类字符串连接对SQL注入攻击开放。
With this concatenations, you might forget to use some comma, quotes, brackets etc.. 通过这种串联,您可能会忘记使用一些逗号,引号,方括号等。
Also use the using
statement to dispose your Connection
and Command
. 还可以使用
using
语句来处理Connection
和Command
。 For example; 例如;
using(OleDbConnection con = new OleDbConnection(ConnectionString))
using(OleDbCommand cmd = com.CreateCommand())
{
string s = "UPDATE tableAbsensi SET Absen_keluar=? WHERE ID=? AND Tanggal=?";
cmd.CommandText = s;
cmd.Parameters.AddWithValue("@absen", DateTime.Now.ToString("hh:mm"));
cmd.Parameters.AddWithValue("@id", idkaryawantxt.Text.ToString());
cmd.Parameters.AddWithValue("@tanggal", DateTime.Now.ToString("MM-dd-yyyy"));
cmd.ExecuteNonQuery();
}
Don't use string concatenation to insert values into SQL code. 不要使用字符串串联将值插入SQL代码。 Always use parameters and issues like this caused by formatting just go away.
始终使用由格式化引起的此类参数和问题,否则就会消失。 To learn why and how to use parameters, check this out .
要了解为什么以及如何使用参数, 请查看 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.