'/'附近的语法不正确
[英]Incorrect syntax near '/'
问题描述
cmSQL = New SqlCommand("UPDATE AdBanner SET AdBannerTitle='" & txTitle.Text & "',AdBannerFileUrl=/Images/'" & fileUpload.FileName & "',AdBannerTargerUrl='" & txTargetUrl.Text & "',AdBannerIsActive='" & chkBox.Checked & "' WHERE AdBannerID='" & lblBannerId.Text & "'", cnSQL)
Error:Incorrect syntax near '/'. 
错误:“ /”附近的语法不正确。
i got that error when updating record 更新记录时出现错误
4 个解决方案
解决方案1
4 已采纳 2012-12-19 12:37:38
You must put the quotation mark ( ' ) before /Images/ . 您必须在/Images/之前加上引号( ' )。 Change your statement to this: 将您的声明更改为此:
cmSQL = New SqlCommand("UPDATE AdBanner SET AdBannerTitle='" & txTitle.Text _
& "',AdBannerFileUrl='/Images/" & fileUpload.FileName _
& "',AdBannerTargerUrl='" & txTargetUrl.Text _
& "',AdBannerIsActive='" & chkBox.Checked _
& "' WHERE AdBannerID='" & lblBannerId.Text & "'", cnSQL)
And when you're done with that, I'd recommend you start learning about SQL Injection immediately. 当您完成此操作后,建议您立即开始学习SQL注入 。 It's a simple but dangerous security hazard. 这是一个简单但危险的安全隐患。
解决方案2
2 2012-12-19 12:39:29
The immediate problem is that you aren't creating a valid literal for AdBannerFileUrl ; 直接的问题是您没有为AdBannerFileUrl创建有效的文字; however! 然而! Your approach at the moment is deadly . 你现在的方法是致命的 。 Please see "SQL injection". 请参阅“SQL注入”。 You should parameterize that, then it becomes: 你应该参数化,然后它变成:
cmSql = new SqlCommand("UPDATE AdBanner SET AdBannerTitle=@Title,AdBannerFileUrl=@FileUrl,AdBannerTargerUrl=@TargetUrl,AdBannerIsActive=@IsActive WHERE AdBannerID=@ID", cnSQL)
However! 然而! You must then add parameters for each of those: 然后,您必须为每个参数添加参数:
cmSql.Parameters.AddWithValue("@Title", txtTitle.Text);
cmSql.Parameters.AddWithValue("@FileUrl", "/Images/" + fileUpload.FileName);
cmSql.Parameters.AddWithValue("@TargetUrl", txTargetUrl.Text);
cmSql.Parameters.AddWithValue("@IsActive", chkBox.Checked);
cmSql.Parameters.AddWithValue("@ID", lblBannerId.Text);
解决方案3
1 2012-12-19 12:46:56
You are missing a ' before the /Images/ part, so the SQL that SQL Server gets is malformed. 您在/Images/ part之前缺少' ,因此SQL Server获取的SQL格式不正确。
However, doing a concatenation based SQL on the server, in this day and age, is, to put it bluntly, stupid, especially when using unvalidated user-suplied values (like txTitle.Text) 但是,直白地说,在服务器上进行基于串联的SQL是愚蠢的,尤其是在使用未经验证的用户提供的值(例如txTitle.Text)时。
A better approach would be: 更好的方法是:
cmSQL = New SqlCommand("UPDATE AdBanner SET AdBannerTitle=@AdBannerTitle" _
& ", AdBannerFileUrl=@AdBannerFileUrl" _
& ", AdBannerTargerUrl=@AdBannerTargerUrl" _
& ", AdBannerIsActive=@AdBannerIsActive" _
& " WHERE AdBannerID=@AdBannerID", cnSQL)
cmSQL.CommandType = CommandType.Text;
cmSQL.Parameters.AddWithValue("@AdBannerTitle", txTitle.Text)
cmSQL.Parameters.AddWithValue("@AdBannerFileUrl", "/Images/" & fileUpload.FileName)
cmSQL.Parameters.AddWithValue("@AdBannerTargerUrl", txTargetUrl.Text)
cmSQL.Parameters.AddWithValue("@AdBannerIsActive", chkBox.Checked)
cmSQL.Parameters.AddWithValue("@AdBannerID", lblBannerId.Text)
解决方案4
0 2012-12-19 13:49:27
your single quotes are misplaced. 您的单引号放错了位置。
your code must be 你的代码必须是
cmSQL = New SqlCommand("UPDATE AdBanner SET AdBannerTitle='" & txTitle.Text & "',AdBannerFileUrl='/Images/" & fileUpload.FileName & "',AdBannerTargerUrl='" & txTargetUrl.Text & "',AdBannerIsActive='" & chkBox.Checked & "' WHERE AdBannerID='" & lblBannerId.Text & "'", cnSQL)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.