语句中查询表达式中的语法错误（缺少运算符）

Question

     sqlStatement = "select Price from OrderItem where orderId=" + orderId;
            myAccessCommand = new OleDbCommand(sqlStatement, myAccessConn);
            myDataAdapter = new OleDbDataAdapter(myAccessCommand);
            myDataAdapter.Fill(myDataSet, "OrderItem");`DataTableCollection dta = myDataSet.Tables;
            DataColumnCollection drc = myDataSet.Tables["Orders"].Columns;
            DataRowCollection dra = myDataSet.Tables["Orders"].Rows;

            foreach (DataRow dr in dra)
            {
                orderId= dr[0].ToString();
                Checkintime= dr[1].ToString();
                RoomPrice= dr[2].ToString();
                ReceiptNo= dr[3].ToString();
                Console.WriteLine("orderId: " + orderId + ", Checkintime:  " + Checkintime + ", RoomPrice: " + RoomPrice + ", ReceiptNo: " + ReceiptNo + "");

            }`

I have a syntax error which says "Syntax error (missing operator) in query expression 'orderId='."}

I cant seem to find the error.

Answer 1

The root cause of your problem is that you are not using parameterized queries and are trying to create an sql string on the fly. As a result you make an error in the assembling code of that string. But if you use a parameterized query the chance of running into an issue like that is a lot lower because you don't have to mess about with quotes, number to string conversions and the like. On top of this, you cannot have a sql injection attack if you use parameters and it makes the code more readable too.

Read http://www.dotnetperls.com/sqlparameter on how to use a parameterized query the way it should be done and don't just fix the textual error in the querystring. It is not the way it is supposed to be done.

This is a good explanation too : http://www.dreamincode.net/forums/topic/268104-parameterizing-your-sql-queries-the-right-way-to-query-a-database/