[英]SQL INSERT - Invalid column name
As some of you may of seen from my previous post I'm new to using C# to create websites (Although I have a fair bit of experience using it for Windows Forms apps). 正如你们中的一些人可能从我之前的帖子中看到的,我是新手使用C#来创建网站(虽然我有很多使用它来使用Windows Forms应用程序的经验)。 The powers that be are tempting me away from PHP but I keep failing at what I consider the basics.
这些权力让我远离PHP,但我仍然在考虑基础知识而失败。
Anyway, this is my issue. 无论如何,这是我的问题。 I am trying to create a simple entry into a SQL database.
我正在尝试创建一个简单的SQL数据库入口。 I know my connection to the DB is fine as I can reel off SELECT queries all day long but I'm having trouble with using Insert.
我知道我与数据库的连接很好,因为我可以整天关闭SELECT查询,但是我在使用Insert方面遇到了麻烦。
Heres my code: 继承我的代码:
string filename = "abc123.jpg";
SqlConnection link = new SqlConnection(//you dont need to see my data here ;));
string sqlcode = "INSERT INTO file_uploads (upload_filename VALUES ("+filename+")";
SqlCommand sql = new SqlCommand(sqlcode,link);
link.open();
sql.ExecuteNonQuery();
This results in "Invalid column name abc123.jpg" returned from the try/catch. 这导致从try / catch返回“无效的列名称abc123.jpg”。
Any help would be appreciated. 任何帮助,将不胜感激。 (I wish they would let me do this in PHP lol!)
(我希望他们能让我在PHP中执行此操作lol!)
Thanks, 谢谢,
Tripbrock Tripbrock
You are missing a parenthesis after the column name and the value represents a string and as such must be enclosed in quotes: 列名后缺少括号,值表示字符串,因此必须用引号括起来:
string sqlcode = "INSERT INTO file_uploads (upload_filename) " +
"VALUES ('"+filename+"')";
However, the correct way would be to use a parameterized query: 但是,正确的方法是使用参数化查询:
string filename = "abc123.jpg";
SqlConnection link = new SqlConnection(/*you dont need to see my data here ;)*/);
string sqlcode = "INSERT INTO file_uploads (upload_filename) VALUES (@filename)";
SqlCommand sql = new SqlCommand(sqlcode,link);
sql.Parameters.AddWithValue("@filename", filename);
link.open();
sql.ExecuteNonQuery();
your SQL is bad formatted. 您的SQL格式错误。 Try this :
尝试这个 :
string sqlcode = "INSERT INTO file_uploads (upload_filename) VALUES ('"+filename+"')";
Where upload_filename is a name of the column 其中upload_filename是列的名称
Really you should be parameterising your queries - this reduces the risk of injection attacks: 实际上,您应该对查询进行参数化 - 这可以降低注入攻击的风险:
string filename = "abc123.jpg";
using( SqlConnection link = new SqlConnection(/*...*/;)) )
{
// sql statement with parameter
string sqlcode = "INSERT INTO file_uploads (upload_filename) VALUES (@filename)";
using( SqlCommand sql = new SqlCommand(sqlcode,link) )
{
// add filename parameter
sql.Parameters.AddWithValue("filename", filename);
link.open();
sql.ExecuteNonQuery();
}
}
Also note the using
statements - these make sure that the connection and command objects are disposed of. 还要注意
using
语句 - 这些确保处理连接和命令对象。
looks like you are missing a bracket: 看起来你错过了一个括号:
string sqlcode = "INSERT INTO file_uploads (upload_filename VALUES ("+filename+")";
Should be 应该
string sqlcode = "INSERT INTO file_uploads (upload_filename) VALUES ('"+filename+"')";
Also, to avoid SQL injection attacks you can use the SQLCommand objects like so. 此外,为了避免SQL注入攻击,您可以像这样使用SQLCommand对象。
using (SQLCommand oSQLCommand = new SQLCommand("INSERT INTO file_uploads (upload_filename) VALUES ( @FileName )")
{
oSQLCommand.Parameters.AddWithValue("@FileName", filename);
oSQLCommand.ExecuteNonQuery();
}
Try 尝试
string sqlcode = "INSERT INTO file_uploads (upload_filename) VALUES ('"+filename+"')";
You were missing a closing parentheses. 你错过了一个结束括号。
Don't know if it is a typo but the line should be: 不知道这是不是一个错字,但该行应该是:
string sqlcode = "INSERT INTO file_uploads (upload_filename) VALUES ('"+filename+"')";
Notice the )
after upload_filename
. 请注意
upload_filename
之后的)
。
Also also added the single quotes around the filename. 还在文件名周围添加了单引号。
But you probably want to use a parameterized query: 但您可能想要使用参数化查询:
string sqlcode = "INSERT INTO file_uploads (upload_filename) VALUES (@filename)";
Then use command.Parameters
to add the actual value. 然后使用
command.Parameters
添加实际值。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.