在C#中插入Access数据库查询错误
[英]Insert into access database Query Error in C#
问题描述
OleDbConnection my_con = new OleDbConnection(@"Provider=Microsoft.ACE.OLEDB.12.0;
Data Source=C:\\Users\\SS\\Documents\\131Current1\\125\\Current one\\ClinicMainDatabase.accdb");
my_con.Open();
OleDbCommand o_cmd1 = my_con.CreateCommand();
o_cmd1.CommandText = "INSERT INTO Personal_Details(Date,Time,Patient_Name,Contact_Number,Gender,Allergic_To,KCO) VALUES ('" + DateTime.Now.ToString("dd-MM-yyyy") + "','" + DateTime.Now.ToString("h:mm:ss tt") + "','" + txtPatientName.Text + "','" + txtContactNo.Text + "','" + comboBoxGender.Text + "','" + txtAllergic.Text + "','" + txtKCO.Text + "')";
int j = o_cmd1.ExecuteNonQuery();
I am getting the Syntax error in Insert Statement I don't understand what is mistake if any one help me I am really thank full.Thanks in Advance. 
我在插入语句中收到语法错误,我不明白如果有任何人帮我,那是什么错误,我真的非常感谢full.Thanks。
2 个解决方案
解决方案1
1 2016-01-31 11:36:23
Date and Time are typically reserved keywords in many database systems. 在许多数据库系统中,日期和时间通常是保留的关键字。 You should at the very least wrap them with [ ]. 您至少应该用[]包裹它们。 More preferably, if you are designing the table, change the field name to something more descriptive. 更可取的是,如果要设计表格,请将字段名称更改为更具描述性的名称。 For example if the Date and Time represented a reminder then you could use ReminderDate and ReminderTime so as not to interfere with reserved keywords. 例如,如果日期和时间表示提醒,则可以使用ReminderDate和ReminderTime以免干扰保留的关键字。
And follow the parameter advice that's already been given. 并遵循已经给出的参数建议。
解决方案2
0 已采纳 2016-01-31 11:18:23
Use command parameters instead of concatenating strings. 使用命令参数而不是串联字符串。 Your code is open for SQL Injection attacks or in your specific case the problem may be related with invalid user input. 您的代码已接受SQL注入攻击,或者在您的特定情况下,问题可能与无效的用户输入有关。 Try to thing about this situation: What if the txtContactNo.Text returns this string "Peter's contact is +123456" ? 尝试处理这种情况:如果txtContactNo.Text返回此字符串"Peter's contact is +123456"怎么办? How does the SQL query will look then? 那么,SQL查询的外观如何? Pay close attention to ' character. 狠抓'性格。
You should ALWAYS use parametrized SQL queries no matter how good you thing your input validation is. 无论输入验证的效果如何,都应始终使用参数化的SQL查询。 It also has more advantages like query plan caching etc. 它还具有更多优势,例如查询计划缓存等。
So in your case the code must be written like this: 因此,在您的情况下,代码必须这样编写:
OleDbConnection my_con = new OleDbConnection(@"Provider=Microsoft.ACE.OLEDB.12.0;
Data Source=C:\\Users\\SS\\Documents\\131Current1\\125\\Current one\\ClinicMainDatabase.accdb");
using(my_con)
{
my_con.Open();
using(OleDbCommand o_cmd1 = my_con.CreateCommand())
{
o_cmd1.CommandText = @"
INSERT INTO Personal_Details ([Date], [Time], Patient_Name, Contact_Number, Gender, Allergic_To, KCO)
VALUES (@date, @time, @name, @contNo, @gender, @alergic, @kco)";
o_cmd1.Parameters.AddWithValue("@date", DateTime.Now.ToString("dd-MM-yyyy"));
o_cmd1.Parameters.AddWithValue("@time", DateTime.Now.ToString("h:mm:ss tt"));
o_cmd1.Parameters.AddWithValue("@name", txtPatientName.Text);
o_cmd1.Parameters.AddWithValue("@contNo", txtContactNo.Text);
o_cmd1.Parameters.AddWithValue("@gender", comboBoxGender.Text);
o_cmd1.Parameters.AddWithValue("@alergic", txtAllergic.Text);
o_cmd1.Parameters.AddWithValue("@kco", txtKCO.Text);
o_cmd1.ExecuteNonQuery();
}
}
Also make sure that you are properly disposing the connection and the command objects (by using :) the using keyword) 还要确保您正确地布置了连接和命令对象(通过使用:) using关键字)
For more info read the docs in MSDN https://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlparametercollection.addwithvalue(v=vs.110).aspx 有关更多信息,请阅读MSDN中的文档https://msdn.microsoft.com/zh-cn/library/system.data.sqlclient.sqlparametercollection.addwithvalue(v=vs.110).aspx
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.