插入DateTime(从C#到MySQL)
[英]Insert into DateTime (from C# to MySQL)
问题描述
I Just Keep Having this Error: You have an error in your SQL syntax; 
我只是一直遇到这个错误: 您的SQL语法有错误; check the manual that corresponds to your MySQL server version for the right syntax to use near '2014-10-08 19:39:57)' at line 1 在第1行的“ 2014-10-08 19:39:57)”附近查看与您的MySQL服务器版本相对应的手册以使用正确的语法
public string ObtenerFechaHora()
{
string query = "select CURRENT_TIMESTAMP() as Fecha";
OpenConnection();
MySqlCommand cmd = new MySqlCommand(query, connection);
cmd.ExecuteNonQuery();
DateTime e = (DateTime)cmd.ExecuteScalar();
CloseConnection();
return e.ToString("yyyy-MM-dd H:mm:ss");
}
Then i insert ("Fecha" is the DateTime Column) 然后我插入(“ Fecha”是DateTime列)
string query = "INSERT INTO actividad (idTerminal, Proceso, Nombre, Tiempo, Fecha) VALUES('" + idTerminal + "', '" + Proceso + "', '" + Nombre + "', '1,'" + this.ObtenerFechaHora() + ")";
I been used loot of formats and i keep having error, for example: 我曾经使用过很多格式,但经常出错,例如:
e.ToString("yyyy-MM-dd H:mm:ss");
e.ToString("yyyy-MM-dd HH:mm:ss");
e.ToString("dd-MM-yyyy H:mm:ss");
e.ToString("yyyy-dd-MMH:mm:ss");
Also with "/" instead of "-" Any help here? 还可以用“ /”代替“-”,这有什么帮助吗?
3 个解决方案
解决方案1
1 2014-10-09 03:07:30
The problem isn't with the format of the datetime string; 问题不在于日期时间字符串的格式。 the problem is in the SQL text of the INSERT statement, right before the value is appended. 问题出在插入值之前的INSERT语句的SQL文本中。 For debugging this, you could output the query string and inspect it. 为了进行调试,您可以输出查询字符串并进行检查。
The problem is in the SQL text here: 问题出在以下SQL文本中:
+ "', '1,'" +
There needs to be a comma between that literal and the next column value. 该文字和下一个列值之间必须有一个逗号。 It looks like you just missed a single quote: 您好像错过了一个引号:
+ "', '1','" +
^
A potentially bigger problem is that your code appears to be vulnerable to SQL Injection. 一个潜在的更大问题是您的代码似乎容易受到SQL注入的攻击。 Consider what happens when one of the variables you are including into the SQL text includes a single quote, or something even more nefarios ala Little Bobby Tables. 考虑一下当您要包含在SQL文本中的变量之一包含单引号或什至是nefarios或Little Bobby Tables时会发生什么。 http://xkcd.com/327/ . http://xkcd.com/327/ 。
If you want a column value to be the current date and time, you don't need to run a separate query to fetch the value. 如果希望将列值作为当前日期和时间,则无需运行单独的查询来获取该值。 You could simply reference the function NOW() in your query text. 您可以简单地在查询文本中引用函数NOW() 。 eg 例如
+ "', '1', NOW() )";
解决方案2
0 2014-10-09 03:04:17
You excuted twice 你两次谴责
//cmd.ExecuteNonQuery();
DateTime e = (DateTime)cmd.ExecuteScalar();
Should be only one time. 应该只有一次。
Then like @sgeddes said in the comments use parameterized queries, they avoid errors and sql injections. 然后就像@sgeddes 在注释中说的那样使用参数化查询,这样可以避免错误和sql注入。
解决方案3
0 2014-10-09 04:19:46
The approach that you have used is not the best approach to write SQL command. 您使用的方法不是编写SQL命令的最佳方法。 You should use sql parameters in the Query. 您应该在查询中使用sql参数。 Your code is vulnerable to SQL Injected and obviously it is not the best approach. 您的代码容易受到SQL Injected的攻击,显然这不是最佳方法。
Try using something like this: 尝试使用如下所示的内容:
string commandText = "UPDATE Sales.Store SET Demographics = @demographics "
+ "WHERE CustomerID = @ID;";
SqlCommand command = new SqlCommand(commandText, connection);
command.Parameters.Add("@ID", SqlDbType.Int);
command.Parameters["@ID"].Value = customerID;
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.