连接到 SQL Server 数据库
[英]Connection to SQL Server database
问题描述
A .NET application, from which a connection is being made and query executed as follows (wrapped in a try-catch block):
一个 .NET 应用程序,从中建立连接并按如下方式执行查询(包装在 try-catch 块中):
using (SqlConnection conn = new SqlConnection(Configuration.connectionString))
{
SqlCommand cmd = new SqlCommand(createTransactionQuery,conn);
conn.Open();
return cmd.ExecuteNonQuery();
}
The query string is:查询字符串为:
createTransactionQuery = "BEGIN " +
"BEGIN Transaction" +
" BEGIN TRY " +
" --variables" +
" DECLARE @varStaffID int;" +
" DECLARE @varProductID int;" +
" SET @varStaffID = " + transaction.getStaff().getID() + ";" +
" SET @varProductID = " + transaction.getProduct().getProductID() + ";" +
" " +
" --New record in Transactions table " +
" INSERT INTO Transactions (Timestamp_, CustomerID, StaffID, ProductID) " +
" VALUES (SYSDATETIME(),NULL,@varStaffID,@varProductID; " +
" " +
" --Update inventory (Products table)" +
" --First retrieve the current quantity of this product" +
" DECLARE @varCurrQuantity int; " +
" SET @varCurrQuantity = (SELECT Quantity FROM Products WHERE ProductID=@varProductID); " +
" --and update it" +
" UPDATE Products " +
" SET Quantity = @varQuantity-1 " +
" WHERE ProductID = @varProductID; " +
" END TRY " +
" BEGIN CATCH " +
" ROLLBACK Transaction " +
" END CATCH " +
"COMMIT Transaction" +
"END";
This code throws an exception:此代码引发异常:
System.Exception: Incorrect syntax near 'BEGIN'.
I know that the query string could be created in a better way.我知道可以以更好的方式创建查询字符串。 However, I want to know what the cause of the problem is, as this exact query is working when it is executed within SQL Server Management Studio itself.但是,我想知道问题的原因是什么,因为这个确切的查询在 SQL Server Management Studio 本身中执行时是有效的。
I have made sure the connection string is correct, as it is working exactly as it should in a different part of the application.我已经确保连接字符串是正确的,因为它在应用程序的不同部分完全正常工作。
3 个解决方案
解决方案1
2 已采纳 2020-01-26 05:14:27
It seems you have a missing close parenthesis here:似乎您在这里缺少右括号:
VALUES (SYSDATETIME(),NULL,@varStaffID,@varProductID; "
However this kind of string concatenation are open to SQL Injection attacks.然而,这种字符串连接容易受到 SQL 注入攻击。 You should always use parameterized queries to avoid SQL Injection and also to get rid of this kind of errors.您应该始终使用参数化查询来避免SQL 注入并摆脱此类错误。
To learn how to use parameterized queries, see an example below:要了解如何使用参数化查询,请参见以下示例:
https://stackoverflow.com/a/50597820/2946329 https://stackoverflow.com/a/50597820/2946329
解决方案2
0 2020-01-26 04:59:33
you can try this for a transaction.你可以试试这个进行交易。 remove first begin and last end from you code and follow this instruction:从您的代码中删除 first begin 和 last end 并按照以下说明操作:
BEGIN TRANSACTION trans
BEGIN TRY
--Do some insert or update
COMMIT TRANSACTION trans
END TRY
BEGIN CATCH
ROLLBACK TRANSACTION trans
END CATCH
解决方案3
0 2020-01-26 05:18:26
You have missed a space between "COMMIT Transaction" + "END";您在"COMMIT Transaction" + "END";之间错过了一个空格"COMMIT Transaction" + "END"; use this "COMMIT Transaction" + " END";使用这个"COMMIT Transaction" + " END";
Also you have not declared varQuantity and missed a closed bracket after " VALUES (SYSDATETIME(),NULL,@varStaffID,@varProductID; "此外,您还没有声明varQuantity并且在" VALUES (SYSDATETIME(),NULL,@varStaffID,@varProductID; "之后错过了一个封闭的括号" VALUES (SYSDATETIME(),NULL,@varStaffID,@varProductID; "
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.