从用户在asp.net C#中输入的数据向SQL Server数据库添加行
[英]Adding rows to a SQL Server database from data entered by user in asp.net c#
问题描述
string ConnectionString = WebConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString;
SqlConnection connection = new SqlConnection(ConnectionString);
SqlCommand cmd = new SqlCommand("INSERT INTO Data (Name, Sur-Name, Score,Avg) VALUES ('" + fName + "','" + sName + "','" + lblScore.Text + "','" + lblAvg.Text + "');");
cmd.CommandType = CommandType.Text;
cmd.Connection = connection;
cmd.Parameters.AddWithValue("@Name", fName);
cmd.Parameters.AddWithValue("@Sur-Name", sName);
cmd.Parameters.AddWithValue("@Score", lblScore.Text);
cmd.Parameters.AddWithValue("@Avg", lblAvg.Text);
try
{
connection.Open();
cmd.ExecuteNonQuery();
}
catch (Exception exc)
{
lblData.Text = exc.Message;
}
finally
{
connection.Close();
}
The error I keep getting is a runtime saying 
我不断收到的错误是运行时说
Incorrect syntax near '-'.
I used the try catch just so page would load and my scores show but the label says this Incorrect syntax as well, I was wondering could anyone please help me with what I am doing wrong 我使用了try catch,以便页面加载并显示分数,但标签也显示了这种不正确的语法,我想知道是否有人可以帮助我解决我做错的事情
Thanks. 谢谢。
2 个解决方案
解决方案1
11 2014-03-26 15:21:56
I think Sur-Name breaks your query. 我认为Sur-Name破坏了您的查询。 Use it with square brackets like [Sur-Name] 与方括号一起使用,例如[Sur-Name]
But more important, please use parameterized queries . 但更重要的是,请使用参数化查询 。 This kind of string concatenations are open for SQL Injection attacks. 这类字符串连接对SQL注入攻击开放。 I see you tried to use but you never declare your parameter names in your query. 我看到您尝试使用,但从未在查询中声明参数名称。
Also DATA might be a reserved keyword on future versions of SQL Server. 此外, DATA可能是SQL Server未来版本中的保留关键字 。 You might need to use with also like [DATA] 您可能还需要使用[DATA]
Consider to use using statement to dispose your SqlConnection and SqlCommand . 考虑使用using语句配置您的SqlConnection和SqlCommand 。
using(SqlConnection connection = new SqlConnection(ConnectionString))
using(SqlCommand cmd = connection.CreateCommand())
{
cmd.CommandText = @"INSERT INTO [Data] (Name, [Sur-Name], Score, Avg)
VALUES (@Name, @SurName, @Score, @Avg)";
cmd.Connection = connection;
cmd.Parameters.AddWithValue("@Name", fName);
cmd.Parameters.AddWithValue("@SurName", sName);
cmd.Parameters.AddWithValue("@Score", lblScore.Text);
cmd.Parameters.AddWithValue("@Avg", lblAvg.Text);
try
{
connection.Open();
cmd.ExecuteNonQuery();
}
catch (Exception exc)
{
lblData.Text = exc.Message;
}
}
解决方案2
3 2014-03-26 15:23:16
You are trying to mix concatenated queries with parametrized. 您正在尝试将串联查询与参数化混合。 Always use parametrized queries, It will save you from SQL Injection. 始终使用参数化查询,它将使您免于SQL注入。
SqlCommand cmd = new SqlCommand(@"INSERT INTO [Data] (Name, [Sur-Name], Score,Avg) VALUES (
@Name, @SurName, @Score, @Avg)");
cmd.CommandType = CommandType.Text;
cmd.Connection = connection;
cmd.Parameters.AddWithValue("@Name", fName);
cmd.Parameters.AddWithValue("@SurName", sName);
cmd.Parameters.AddWithValue("@Score", lblScore.Text);
cmd.Parameters.AddWithValue("@Avg", lblAvg.Text);
Also consider enclosing your connection and command object in using statement. 还可以考虑在using语句中包含连接和命令对象。
As @Soner has mentioned in his answer , use Square brackets for Data and Sur-Name 就像@Soner在回答中提到的那样,对Data和Sur-Name使用方括号
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.