C#字符串中的SQL语法错误
[英]SQL Syntax error in C# string
问题描述
I'm running a query from a web form to update records. 
我正在从Web表单运行查询以更新记录。 Since I'm just learning about C#, I'm using a command string as opposed to a stored procedure. 因为我只是在学习C#,所以我使用的是命令字符串而不是存储过程。
My update method is as follows: 我的更新方法如下:
public void updateOne()
{
string commandText = "update INVOICE SET <Redacted> = @<Redacted>,
Supplier = @Sup, SupplierName = @SupN, NetTotal = @Net,
VATTotal = @VAT, InvoiceDate = @InvDt "
<needed a line break here, which is why I split the string again>
+ "WHERE K_INVOICE = @K_INV";
using (SqlConnection dbConnection = new SqlConnection
(conParams.connectionString))
{
SqlCommand cmd = new SqlCommand(commandText, dbConnection);
cmd.Parameters.Add("@K_INV", SqlDbType.Int);
cmd.Parameters["@K_INV"].Value = @K_INV;
cmd.Parameters.AddWithValue("@<Redacted>", @<Redacted>.ToString());
cmd.Parameters.AddWithValue("@Sup", @Sup.ToString());
cmd.Parameters.AddWithValue("@SupN", @SupN.ToString());
cmd.Parameters.AddWithValue("@Net", @Net.ToString());
cmd.Parameters.AddWithValue("VAT", @VAT.ToString());
cmd.Parameters.AddWithValue("@InvDt", @InvDt.ToString());
try
{
dbConnection.Open();
cmd.ExecuteNonQuery();
}
catch (Exception e)
{
errorString = e.Message.ToString();
}
}
}
Catch stalls on an SQL error (Incorrect syntax near SET), and I have an idea that the issue occurs because I convert the parameters to strings. Catch因SQL错误(SET附近的语法不正确)而停顿,并且我有想法会发生此问题,因为我将参数转换为字符串。 The first parameter is an Int, which should be OK. 第一个参数是Int,应该可以。
If this is the case, what should I convert the parameters to? 在这种情况下,应将参数转换为什么? If not, what on earth is wrong? 如果不是,那么到底是哪里错了?
2 个解决方案
解决方案1
3 2014-09-03 14:44:34
Try to add a @ before the string to escape the breaklines , for sample: 尝试在字符串前添加@以转义断线 ,例如:
string commandText = @"update INVOICE SET [Redacted] = @Redacted,
Supplier = @Sup, SupplierName = @SupN, NetTotal = @Net,
VATTotal = @VAT, InvoiceDate = @InvDt "
+ "WHERE K_INVOICE = @K_INV";
In parameterName argument you can add the @ but the value not, just the variable, for sample 在parameterName参数中,您可以添加@,但不能添加值,仅添加变量即可
cmd.Parameters.AddWithValue("@Redacted", redacted.ToString());
Try to execute this query in the databse with some values to check if everything is correct. 尝试使用一些值在数据库中执行此查询,以检查一切是否正确。 You could use [brackets] in the table name and column names if you have a reserved word. 如果您有保留字,则可以在表名和列名中使用[brackets] 。
解决方案2
1 已采纳 2014-09-03 15:03:12
I would recommend you read this blog article on the dangers of .AddWithValue() : 我建议您阅读这篇有关.AddWithValue()的危险的博客文章:
Instead of 代替
cmd.Parameters.AddWithValue("@Sup", @Sup.ToString());
you should use 你应该使用
cmd.Parameters.Add("@Sup", SqlDbType.VarChar, 50).Value = ...(provide value here)..;
( is your variable in C# really called @SupN ?? Rather unusual and confusing.... ) ( 是您在C#中的变量真的称为@SupN吗?相当不寻常且令人困惑。... )
I would recommend to always define an explicit length for any string parameters you define 我建议始终为您定义的任何字符串参数定义一个明确的长度
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.