[英]Adding rows to a SQL Server database from data entered by user in asp.net c#
string ConnectionString = WebConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString;
SqlConnection connection = new SqlConnection(ConnectionString);
SqlCommand cmd = new SqlCommand("INSERT INTO Data (Name, Sur-Name, Score,Avg) VALUES ('" + fName + "','" + sName + "','" + lblScore.Text + "','" + lblAvg.Text + "');");
cmd.CommandType = CommandType.Text;
cmd.Connection = connection;
cmd.Parameters.AddWithValue("@Name", fName);
cmd.Parameters.AddWithValue("@Sur-Name", sName);
cmd.Parameters.AddWithValue("@Score", lblScore.Text);
cmd.Parameters.AddWithValue("@Avg", lblAvg.Text);
try
{
connection.Open();
cmd.ExecuteNonQuery();
}
catch (Exception exc)
{
lblData.Text = exc.Message;
}
finally
{
connection.Close();
}
The error I keep getting is a runtime saying 我不断收到的错误是运行时说
Incorrect syntax near '-'.
'-'附近的语法不正确。 Incorrect syntax near '-'.
'-'附近的语法不正确。
I used the try catch just so page would load and my scores show but the label says this Incorrect syntax as well, I was wondering could anyone please help me with what I am doing wrong 我使用了try catch,以便页面加载并显示分数,但标签也显示了这种不正确的语法,我想知道是否有人可以帮助我解决我做错的事情
Thanks. 谢谢。
I think Sur-Name
breaks your query. 我认为
Sur-Name
破坏了您的查询。 Use it with square brackets like [Sur-Name]
与方括号一起使用,例如
[Sur-Name]
But more important, please use parameterized queries . 但更重要的是,请使用参数化查询 。 This kind of string concatenations are open for SQL Injection attacks.
这类字符串连接对SQL注入攻击开放。 I see you tried to use but you never declare your parameter names in your query.
我看到您尝试使用,但从未在查询中声明参数名称。
Also DATA
might be a reserved keyword on future versions of SQL Server. 此外,
DATA
可能是SQL Server未来版本中的保留关键字 。 You might need to use with also like [DATA]
您可能还需要使用
[DATA]
Consider to use using
statement to dispose your SqlConnection
and SqlCommand
. 考虑使用
using
语句配置您的SqlConnection
和SqlCommand
。
using(SqlConnection connection = new SqlConnection(ConnectionString))
using(SqlCommand cmd = connection.CreateCommand())
{
cmd.CommandText = @"INSERT INTO [Data] (Name, [Sur-Name], Score, Avg)
VALUES (@Name, @SurName, @Score, @Avg)";
cmd.Connection = connection;
cmd.Parameters.AddWithValue("@Name", fName);
cmd.Parameters.AddWithValue("@SurName", sName);
cmd.Parameters.AddWithValue("@Score", lblScore.Text);
cmd.Parameters.AddWithValue("@Avg", lblAvg.Text);
try
{
connection.Open();
cmd.ExecuteNonQuery();
}
catch (Exception exc)
{
lblData.Text = exc.Message;
}
}
You are trying to mix concatenated queries with parametrized. 您正在尝试将串联查询与参数化混合。 Always use parametrized queries, It will save you from SQL Injection.
始终使用参数化查询,它将使您免于SQL注入。
SqlCommand cmd = new SqlCommand(@"INSERT INTO [Data] (Name, [Sur-Name], Score,Avg) VALUES (
@Name, @SurName, @Score, @Avg)");
cmd.CommandType = CommandType.Text;
cmd.Connection = connection;
cmd.Parameters.AddWithValue("@Name", fName);
cmd.Parameters.AddWithValue("@SurName", sName);
cmd.Parameters.AddWithValue("@Score", lblScore.Text);
cmd.Parameters.AddWithValue("@Avg", lblAvg.Text);
Also consider enclosing your connection and command object in using
statement. 还可以考虑在
using
语句中包含连接和命令对象。
As @Soner has mentioned in his answer , use Square brackets for Data
and Sur-Name
就像@Soner在回答中提到的那样,对
Data
和Sur-Name
使用方括号
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.