如何处理Access INSERT语句和.NET DataGridView控件中的语法错误?
[英]How to handle a syntax error in an Access INSERT statement and a .NET DataGridView control?
问题描述
I'm working with Access (.accdb), and a Windows Forms application, written in C#. 
我正在使用Access(.accdb)和一个用C#编写的Windows Forms应用程序。
I get this error when I'm trying to insert data into a database table. 当我尝试将数据插入数据库表时,我收到此错误。
System.Data.OleDb.OleDbException:Sintax error in INSERT INTO statement. System.Data.OleDb.OleDbException:INSERT INTO语句中的Sintax错误。 adaptador.InsertCommand.ExecuteNonQuery(); adaptador.InsertCommand.ExecuteNonQuery();
I have tried to go through the direct route and update method but coming up with the same error! 我试图通过直接路由和更新方法,但提出相同的错误!
My code: 我的代码:
private void btnCronograma_Click(object sender, EventArgs e)
{
OleDbConnection conn = new OleDbConnection(@"Provider=Microsoft.ACE.OLEDB.12.0;Data Source=mydatabase.accdb");
string sql;
int idProyecto, idMes, meta, real;
OleDbDataAdapter adaptador = new OleDbDataAdapter();
//for (int i = 0; i < this.dataGridView8.Rows.Count - 1; i++)
//{
foreach (DataGridViewRow row in dataGridView8.Rows)
{
DataGridViewComboBoxCell combo3 = row.Cells["idProyecto"] as DataGridViewComboBoxCell;
DataGridViewComboBoxCell combo4 = row.Cells["idMes"] as DataGridViewComboBoxCell;
MessageBox.Show(combo3.Value.ToString());
MessageBox.Show(combo4.Value.ToString());
idProyecto = int.Parse(combo3.Value.ToString());
idMes = int.Parse(combo4.Value.ToString());
meta = int.Parse(dataGridView8.Rows[0].Cells[3].Value.ToString());
real = int.Parse(dataGridView8.Rows[0].Cells[4].Value.ToString());
MessageBox.Show(meta.ToString());
MessageBox.Show(real.ToString());
//for (int i = 0; i < this.dataGridView8.Rows.Count - 1; i++)
//{
sql = "INSERT INTO IndicadorProyecto (idProyecto, idMes, meta, real) VALUES('" + idProyecto + "' , '" +
idMes + "' , '" + meta + "' , '" + real + "') ";
//sql = "INSERT INTO IndicadorProyecto (idMes, meta, real) VALUES('" + idMes + "' , '" + meta + "' , '" + real + "') ";
if (combo3 == null)
{
MessageBox.Show("No se pudo convertir");
}
else if (combo4 == null)
{
MessageBox.Show("No se pudo convertir");
}
else
{
}
try
{
conn.Open();
adaptador.InsertCommand = new OleDbCommand(sql, conn);
adaptador.InsertCommand.ExecuteNonQuery();
}
catch (Exception ex)
{
MessageBox.Show(ex.ToString());
}
finally
{
conn.Close();
}
//}
}
}
1 个解决方案
解决方案1
2 已采纳 2010-11-21 01:23:51
You should not concatenate strings into SQL statements. 您不应该将字符串连接到SQL语句中。
By doing so, you break your code and create a SQL injection vulnerability. 这样,您将破坏代码并创建一个SQL注入漏洞。
Instead, you should use parameters. 相反,您应该使用参数。
For example: 例如:
using (var conn = new OleDbConnection(@"Provider=Microsoft.ACE.OLEDB.12.0;Data Source=mydatabase.accdb"))
using (var command = new OleDbCommand(@"INSERT INTO IndicadorProyecto (idProyecto, idMes, meta, real) VALUES(?, ?, ?, ?") {
command.Parameters.AddWithValue("a", idProyecto);
command.Parameters.AddWithValue("b", idMes);
command.Parameters.AddWithValue("c", meta);
command.Parameters.AddWithValue("d", real);
conn.Open();
command.ExecuteNonQuery();
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.