在C#中的查询表达式中获取语法错误(缺少运算符)
[英]Getting a syntax error (missing operator) in query expression in C#
问题描述
I am writing a code and getting a syntax error that I dont know from where that comes. 
我正在编写代码并收到语法错误,但该错误来自何处。 This is the code I am using: 这是我正在使用的代码:
string u = "select uniqcode from login where users='" + textBoxX1.Text + "' ";
and this is the error I am getting: 这是我得到的错误:
"Syntax error (missing operator) in query expression ''select uniqcode from login where users='someuser' ''."
4 个解决方案
解决方案1
1 2015-09-18 10:54:55
It might be possible that textbox text is containing single quote ('). 文本框文本可能包含单引号(')。 If yes then replace single quote (') by two single quotes ('') 如果是,则用两个单引号('')替换单引号(')。
Otherwise, try to execute it using sql parameters. 否则,尝试使用sql参数执行它。
解决方案2
0 2015-09-18 10:31:51
string u = "select login.uniqcode from [login] where users='" + textBoxX1.Text.Trim() + "'";
解决方案3
0 2015-09-18 11:08:11
Since your error represent that you are using OleDb connection then you may use following code. 由于您的错误表示您正在使用OleDb连接,因此可以使用以下代码。 This will avoid SQL Injection as well. 这也将避免SQL Injection 。 However you may need to work a bit to following piece into your code. 但是,您可能需要做一些工作才能将代码片段纳入其中。
u = "select uniqcode from login where users=?";
u.Parameters.Add("@users", OleDbType.VarChar).value = textBoxX1.Text;
解决方案4
0 2018-04-25 06:58:38
You need to firstly read and understand there are SQL syntax limitations in OleDB. 您需要首先阅读并了解 OleDB中存在SQL语法限制。
"A single quote must be escaped with another single quote." “必须用单引号将单引号转义。”
But really, forget single quotes. 但实际上,请忘记单引号。
Read more about using OleDB here . 在此处阅读有关使用OleDB的更多信息。 It's ancient technology anyway, so I would get away from OleDB and have your database ported over to SQL Server or MySQL. 无论如何,它都是古老的技术,所以我将摆脱OleDB的束缚,而将您的数据库移植到SQL Server或MySQL。
However, what you may need is something like this... 但是,您可能需要的是这样的东西...
try
{
connw.Open();
OleDbCommand command;
command = new OleDbCommand(
"SELECT *" +
"FROM tableA WHERE Deliveries.EmployeeID = ?, Deliveries.FIN = ?, Deliveries.TodaysOrders = ? , connw);
command.Parameters.Add(new OleDbParameter("@EMPID", Convert.ToDecimal(empsplitIt[1])));
command.Parameters.Add(new OleDbParameter("@FIN", truckSplit[1].ToString()));
command.Parameters.Add(new OleDbParameter("@TodaysOrder", "R"));
catchReturnedRows = command.ExecuteNonQuery();//Commit
connw.Close();
}
catch (OleDbException exception)
{
MessageBox.Show(exception.Message, "OleDb Exception");
}
Golden rule of database coding, is never pass a variable directly into the SQL statement like you've done above. 数据库编码的黄金法则是,永远不要像上面那样直接将变量传递到SQL语句中。 That is opening yourself for SQL Injection big time. 这为SQL注入大开了大门。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.