SQL INSERT - 列名无效

Question

As some of you may of seen from my previous post I'm new to using C# to create websites (Although I have a fair bit of experience using it for Windows Forms apps). The powers that be are tempting me away from PHP but I keep failing at what I consider the basics.

Anyway, this is my issue. I am trying to create a simple entry into a SQL database. I know my connection to the DB is fine as I can reel off SELECT queries all day long but I'm having trouble with using Insert.

Heres my code:

string filename = "abc123.jpg";
SqlConnection link = new SqlConnection(//you dont need to see my data here ;));
string sqlcode = "INSERT INTO file_uploads (upload_filename VALUES ("+filename+")";
SqlCommand sql = new SqlCommand(sqlcode,link);
link.open();
sql.ExecuteNonQuery();

This results in "Invalid column name abc123.jpg" returned from the try/catch.

Any help would be appreciated. (I wish they would let me do this in PHP lol!)

Thanks,

Tripbrock

Answer 1

You are missing a parenthesis after the column name and the value represents a string and as such must be enclosed in quotes:

string sqlcode = "INSERT INTO file_uploads (upload_filename) " + 
                 "VALUES ('"+filename+"')";

However, the correct way would be to use a parameterized query:

string filename = "abc123.jpg";
SqlConnection link = new SqlConnection(/*you dont need to see my data here ;)*/);
string sqlcode = "INSERT INTO file_uploads (upload_filename) VALUES (@filename)";
SqlCommand sql = new SqlCommand(sqlcode,link);
sql.Parameters.AddWithValue("@filename", filename);
link.open();
sql.ExecuteNonQuery();

Answer 2

your SQL is bad formatted. Try this :

string sqlcode = "INSERT INTO file_uploads (upload_filename) VALUES ('"+filename+"')";

Where upload_filename is a name of the column

Answer 3

Really you should be parameterising your queries - this reduces the risk of injection attacks:

string filename = "abc123.jpg";
using( SqlConnection link = new SqlConnection(/*...*/;)) )
{
    // sql statement with parameter
    string sqlcode = "INSERT INTO file_uploads (upload_filename) VALUES (@filename)";
    using( SqlCommand sql = new SqlCommand(sqlcode,link) )
    {
        // add filename parameter
        sql.Parameters.AddWithValue("filename", filename);
        link.open();
        sql.ExecuteNonQuery();
    }
}

Also note the using statements - these make sure that the connection and command objects are disposed of.

Answer 4

looks like you are missing a bracket:

string sqlcode = "INSERT INTO file_uploads (upload_filename VALUES ("+filename+")";

Should be

string sqlcode = "INSERT INTO file_uploads (upload_filename) VALUES ('"+filename+"')";

Also, to avoid SQL injection attacks you can use the SQLCommand objects like so.

using (SQLCommand oSQLCommand = new SQLCommand("INSERT INTO file_uploads (upload_filename) VALUES ( @FileName )")
{
oSQLCommand.Parameters.AddWithValue("@FileName", filename);

oSQLCommand.ExecuteNonQuery();
}

Answer 5

Try

string sqlcode = "INSERT INTO file_uploads (upload_filename) VALUES ('"+filename+"')";

You were missing a closing parentheses.

Answer 6

Don't know if it is a typo but the line should be:

string sqlcode = "INSERT INTO file_uploads (upload_filename) VALUES ('"+filename+"')";

Notice the ) after upload_filename .

Also also added the single quotes around the filename.

But you probably want to use a parameterized query:

string sqlcode = "INSERT INTO file_uploads (upload_filename) VALUES (@filename)";

Then use command.Parameters to add the actual value.