[英]Incorrect syntax near ','. Description: An unhandled exception occurred during the execution
I know this title seems to be repeated a lot but I tried to search and didn't find the answer. 我知道这个标题似乎重复了很多,但是我尝试搜索但没有找到答案。
Code: 码:
using System;
using System.Configuration;
using System.Data;
using System.Data.SqlClient;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
public partial class _Default : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e) {}
protected void gv_master_SelectedIndexChanged(object sender, EventArgs e)
{
// Get the currently selected row using the SelectedRow property.
GridViewRow row = gv_master.SelectedRow;
// Display the first name from the selected row.
// In this example, the third column (index 2) contains
// the first name.
lbl_reqNoV.Text = row.Cells[1].Text;
lbl_reqNoV.Visible = true;
lbl_reqNo.Visible = true;
SqlConnection sqlConnection1 = new SqlConnection("Data Source=saitest01;Initial Catalog=SAI_website;Persist Security Info=True;User ID=sa;Password=sai@987");
SqlCommand cmd = new SqlCommand();
cmd.CommandText = "Select * from purchase Where ReqNo = '" + lbl_reqNoV.Text + "', sqlConnection1";
cmd.CommandType = CommandType.Text;
cmd.Connection = sqlConnection1;
sqlConnection1.Open();
SqlDataReader DR1;
DR1 = cmd.ExecuteReader();
DR1.Read();
// Data is accessible through the DataDR1 object here
gv_full.DataSource = DR1;
gv_full.DataBind();
}
}
the problem is you where adding the name of Connection
in the query text which is ofcource not recognized by sqlserver
the correct format was 问题是你在哪里添加的名字Connection
它ofcource没有被认可,在查询文本sqlserver
的正确格式为
var cmd = new SqlCommand("Select * from purchase Where ReqNo = @reqno",sqlConnection1)
or you can do this 或者你可以这样做
cmd.CommandText = "Select * from purchase Where ReqNo = @reqno";
cmd.Parameters.AddWithValue("reqno",lbl_reqNoV.Text);
cmd.CommandType = CommandType.Text;
cmd.Connection = sqlConnection1;
you should always use parameters in query to avoid Sql Injection
您应该始终在查询中使用参数以避免Sql Injection
just change following 只是改变以下
cmd.CommandText = "Select * from purchase Where ReqNo = '" + lbl_reqNoV.Text + "', sqlConnection1";
with, 与,
cmd.CommandText = "Select * from purchase Where ReqNo = '" + lbl_reqNoV.Text + "' ";
Above will make your code working. 以上将使您的代码正常工作。 But you should modify you code to handle SQL Injection. 但是您应该修改代码以处理SQL注入。 As answered by @Usman 如@Usman回答
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.