堆栈内存溢出
  简体   繁体   English

C#中的INSERT INTO语法错误

[英]INSERT INTO syntax error in c#

 原文  2015-10-08 08:43:41       c#/ sql/ ms-access-2003

问题描述

please figure out the error in my code.it show syntax error INSERT INTO statement.请找出我的代码中的错误。它显示语法错误 INSERT INTO 语句。

OleDbCommand cmd = new OleDbCommand("INSERT INTO tbbill(invoice,datetime,custm,total,tax,grand)VALUES(" + Convert.ToInt32(txtinvoice.Text) + ",'" + dateTimePicker1.Value.ToString("yyyy/MMM/dd") + "','" + Convert.ToString(txtcn.Text) + "','" + txtttl.Text + "','" + Convert.ToInt32(cmtax.Text) + "','" + txtgrdttl.Text + "')", con);
cmd.CommandType = CommandType.Text;
cmd.ExecuteNonQuery();
con.Close();

3 个解决方案

解决方案1
 4  2015-10-08 09:29:13

It seems that you've commited all the sins possible in this short fragment.在这短短的片段中,你似乎犯下了所有可能的罪过 Something like that is expected:类似的事情是预期的:

// Make SQL readable
String sql =
  @"INSERT INTO tbbill(
      invoice,
      [datetime], /* reserved word */
      custm,
      total,
      tax,
      grand)
    VALUES(
      ?, ?, ?, ?, ?, ?)"; // Make SQL parametrized

// Put IDisposable into "using"
using (OleDbCommand cmd = new OleDbCommand(sql, con)) {
  // Parameterized 
  cmd.Parameters.Add(txtinvoice.Text);
  cmd.Parameters.Add(dateTimePicker1.Value);
  cmd.Parameters.Add(txtcn.Text);
  cmd.Parameters.Add(txtttl.Text);
  cmd.Parameters.Add(cmtax.Text);
  cmd.Parameters.Add(txtgrdttl.Text);

  cmd.ExecuteNonQuery();
}

// Do not close that's not opened by you (i.e. con)

解决方案2
 2  2015-10-08 09:24:44

Apart from your weird INSERT statement, your column name datetime is a reserve word in Access.除了奇怪的INSERT语句之外,您的列名datetime是 Access 中的保留字 You should escape it suing [] like below.你应该像下面那样使用[]来逃避它。

INSERT INTO tbbill(invoice,[datetime],custm,total,tax,grand)

Your current query is open to SQL Injection and so as suggested in comment consider using parameterized query instead.您当前的查询对 SQL 注入开放,因此根据评论中的建议,请考虑改用参数化查询。

解决方案3
 0 已采纳  2015-10-08 08:48:57

This should work:这应该有效:

OleDbCommand cmd = new OleDbCommand(@"INSERT INTO tbbill(invoice,[datetime],custm,total,tax,grand) 
VALUES(" + Convert.ToInt32(txtinvoice.Text) + ",\"" +          
dateTimePicker1.Value.ToString("yyyy/MMM/dd") + "\",\"" + 
Convert.ToString(txtcn.Text) + "\",\"" + txtttl.Text + "\",\"" + 
Convert.ToInt32(cmtax.Text) + "\",\"" + txtgrdttl.Text + "\")", con);
cmd.CommandType = CommandType.Text; 
cmd.ExecuteNonQuery(); 
con.Close();

EDIT:编辑:

As stated by others, your query is still open to SQL injection.正如其他人所说,您的查询仍然对 SQL 注入开放。 Dmitry's answer will be the safest and efficient option.德米特里的答案将是最安全有效的选择。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 C#插入语法错误 - C# Insert Into syntax error C#oledb中的INSERT INTO语句中的语法错误? - Syntax error in INSERT INTO statement in c# oledb? INSERT INTO 语法错误 C# 访问数据库 - INSERT INTO Syntax error C# access database INSERT到语句vb C#中的语法错误 - Syntax error in INSERT into statement vb c# INSERT INTO语句中的C#语法错误 - C# syntax error in INSERT INTO statement 使用C#将SQL插入语法错误 - SQL Insert Into Syntax Error using C# 插入命令语法错误C# - insert command syntax error c# 插入语句中的 C# 语法错误 - C# Syntax Error into insert statement 插入语句SQL C#中的语法错误 - Syntax Error In Insert Statement SQL C# 插入语句中的语法错误。 C# - syntax error in insert into statement. c#
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM