System.Data.SqlClient.SqlException：无效的列名（行命令出错。ExecuteNonQuery();）

Question

So I am getting that error all the time.所以我一直收到那个错误。 Im not sure if the problem is in the SQL-server.我不确定问题是否出在 SQL 服务器上。 This code for inserting the data into the database.此代码用于将数据插入数据库。

Send help.发送帮助。

I'm getting this message while executing the code我在执行代码时收到此消息

private void registracija_btn_Click(object sender, EventArgs e)                        
{
        string RegistracijaUporabnisko = RegistracijaUporabnisko_txt.Text;
        string RegistracijaGeslo = RegistracijaGeslo_txt.Text;
        string RegistracijaMail = RegistracijaMail_txt.Text;

            try
            {
                string queryReg = "INSERT INTO uporabnik2(uporabnisko_ime, geslo, email) " +
                     "VALUES(" + RegistracijaUporabnisko + ", " + RegistracijaGeslo + ", " + RegistracijaMail + ")";

                using (SqlCommand command = new SqlCommand(queryReg, con))
                {
                    con.Open();
                    command.ExecuteNonQuery();
                    con.Close();
                }
            }
            catch (Exception ex)
            {
                MessageBox.Show("Napaka: " + ex);
            }

    }

Answer 1

Parameters (below) fixes this and a range of other problems, including SQL injection, i18n/l10n, etc. It is also possible that you've simply typo'd a column name, in which case we can't help you with that as we don't know the real name.参数（如下）修复了这个问题和一系列其他问题，包括 SQL 注入、i18n/l10n 等。您也可能只是输入了一个列名，在这种情况下我们无法帮助您因为我们不知道真名。

string queryReg = "INSERT INTO uporabnik2(uporabnisko_ime, geslo, email) " +
     "VALUES(@uporabnisko_ime, @geslo, @email)";

using (SqlCommand command = new SqlCommand(queryReg, con))
{
    con.Open();
    command.Parameters.AddWithValue("@uporabnisko_ime", RegistracijaUporabnisko_txt.Text);
    command.Parameters.AddWithValue("@geslo", RegistracijaGeslo_txt.Text);
    command.Parameters.AddWithValue("@email", RegistracijaMail_txt.Text);
    con.Close();
}

I also never tire of recommending tools like Dapper for things like this:我也从不厌倦推荐像 Dapper 这样的工具来做这样的事情：

con.Execute("INSERT INTO uporabnik2(uporabnisko_ime, geslo, email) " +
     "VALUES(@uporabnisko_ime, @geslo, @email)", new {
    uporabnisko_ime = RegistracijaUporabnisko_txt.Text,
    geslo = RegistracijaGeslo_txt.Text,
    email = RegistracijaMail_txt.Text });

which does everything including (if necessary) the connection open/close, command construction, parameter packing, etc.它完成所有工作，包括（如果需要）连接打开/关闭、命令构造、参数打包等。

Answer 2

Lets look at your code:让我们看看你的代码：

      string queryReg = "INSERT INTO uporabnik2(uporabnisko_ime, geslo, email) " +
             "VALUES(" + RegistracijaUporabnisko + ", " + RegistracijaGeslo + ", " + RegistracijaMail + ")";

        using (SqlCommand command = new SqlCommand(queryReg, con))
        {
            con.Open();
            command.ExecuteNonQuery();
            con.Close();
        }

Ok so if RegistracijaUporabnisko has the value Rok, RegistracijaGeslo the value Rok and RegistracijaMail the value Rok@home.. what does your string now look like?好的，如果RegistracijaUporabnisko的值为 Rok， RegistracijaGeslo的值为 Rok， RegistracijaMail的值为 Rok@home .. 你的字符串现在是什么样子的？ well好

 string queryReg = "INSERT INTO uporabnik2(uporabnisko_ime, geslo, email) VALUES(Rok,Rok,Rok@home)";

the Rok it would look for then is a field, not a value.它将寻找的 Rok 是一个字段，而不是一个值。 Hence it says invalid column.因此它说无效的列。

So what if you did it a commonly adopted way of那么，如果你以一种普遍采用的方式来做呢？

  string queryReg = "INSERT INTO uporabnik2(uporabnisko_ime, geslo, email) VALUES(@RegistracijaUporabnisko ,@RegistracijaGeslo ,@email)";

    using (SqlCommand command = new SqlCommand(queryReg, con))
    {
        command.Parameters.AddWithValue("@RegistracijaUporabnisko ", RegistracijaUporabnisko );
        command.Parameters.AddWithValue("@RegistracijaGeslo ", RegistracijaGeslo );
        command.Parameters.AddWithValue("@email", email);
        con.Open();
        command.ExecuteNonQuery();
        con.Close();
    }

What happens now?现在会发生什么？ Well, behind the scenes text is entered with quotes round it, dates are sent in an appropriate format, numbers all that.. handled for you.好吧，在幕后输入的文本是用引号括起来的，日期以适当的格式发送，数字所有这些都为您处理。 It protects you from injection so that if I entered a name of "; drop table uporabnik2 you wouldnt find yourself losing the table etc.它可以保护您免受注射，因此如果我输入了"; drop table uporabnik2的名称，您就不会发现自己丢失了表格等。

Answer 3

try尝试

string queryReg = "INSERT INTO uporabnik2(uporabnisko_ime, geslo, email) " +
                     "VALUES('" + RegistracijaUporabnisko + "', '" + RegistracijaGeslo + "', '" + RegistracijaMail + "')";

Generally, you only need to enclose value of string type data, however for safer side always enclose value into the single quote in insert statement一般来说，你只需要将字符串类型数据的值括起来，但是为了安全起见，总是将值括在插入语句中的单引号中

System.Data.SqlClient.SqlException：无效的列名（行命令出错。ExecuteNonQuery();）

问题描述

3 个解决方案

解决方案1
3 2019-02-13 09:09:11

解决方案2
3 已采纳 2019-02-13 09:15:02

解决方案3
-2 2019-02-13 09:07:28

System.Data.SqlClient.SqlException：无效的列名（行命令出错。ExecuteNonQuery();）

问题描述

3 个解决方案

解决方案1 3 2019-02-13 09:09:11

解决方案2 3 已采纳 2019-02-13 09:15:02

解决方案3 -2 2019-02-13 09:07:28

解决方案1
3 2019-02-13 09:09:11

解决方案2
3 已采纳 2019-02-13 09:15:02

解决方案3
-2 2019-02-13 09:07:28