[英]Incorrect syntax near '/'
cmSQL = New SqlCommand("UPDATE AdBanner SET AdBannerTitle='" & txTitle.Text & "',AdBannerFileUrl=/Images/'" & fileUpload.FileName & "',AdBannerTargerUrl='" & txTargetUrl.Text & "',AdBannerIsActive='" & chkBox.Checked & "' WHERE AdBannerID='" & lblBannerId.Text & "'", cnSQL)
Error:Incorrect syntax near '/'. 错误:“ /”附近的语法不正确。
i got that error when updating record 更新记录时出现错误
You must put the quotation mark ( '
) before /Images/
. 您必须在
/Images/
之前加上引号( '
)。 Change your statement to this: 将您的声明更改为此:
cmSQL = New SqlCommand("UPDATE AdBanner SET AdBannerTitle='" & txTitle.Text _
& "',AdBannerFileUrl='/Images/" & fileUpload.FileName _
& "',AdBannerTargerUrl='" & txTargetUrl.Text _
& "',AdBannerIsActive='" & chkBox.Checked _
& "' WHERE AdBannerID='" & lblBannerId.Text & "'", cnSQL)
And when you're done with that, I'd recommend you start learning about SQL Injection immediately. 当您完成此操作后,建议您立即开始学习SQL注入 。 It's a simple but dangerous security hazard.
这是一个简单但危险的安全隐患。
The immediate problem is that you aren't creating a valid literal for AdBannerFileUrl
; 直接的问题是您没有为
AdBannerFileUrl
创建有效的文字; however! 然而! Your approach at the moment is deadly .
你现在的方法是致命的 。 Please see "SQL injection".
请参阅“SQL注入”。 You should parameterize that, then it becomes:
你应该参数化,然后它变成:
cmSql = new SqlCommand("UPDATE AdBanner SET AdBannerTitle=@Title,AdBannerFileUrl=@FileUrl,AdBannerTargerUrl=@TargetUrl,AdBannerIsActive=@IsActive WHERE AdBannerID=@ID", cnSQL)
However! 然而! You must then add parameters for each of those:
然后,您必须为每个参数添加参数:
cmSql.Parameters.AddWithValue("@Title", txtTitle.Text);
cmSql.Parameters.AddWithValue("@FileUrl", "/Images/" + fileUpload.FileName);
cmSql.Parameters.AddWithValue("@TargetUrl", txTargetUrl.Text);
cmSql.Parameters.AddWithValue("@IsActive", chkBox.Checked);
cmSql.Parameters.AddWithValue("@ID", lblBannerId.Text);
You are missing a '
before the /Images/
part, so the SQL that SQL Server gets is malformed. 您在
/Images/
part之前缺少'
,因此SQL Server获取的SQL格式不正确。
However, doing a concatenation based SQL on the server, in this day and age, is, to put it bluntly, stupid, especially when using unvalidated user-suplied values (like txTitle.Text) 但是,直白地说,在服务器上进行基于串联的SQL是愚蠢的,尤其是在使用未经验证的用户提供的值(例如txTitle.Text)时。
A better approach would be: 更好的方法是:
cmSQL = New SqlCommand("UPDATE AdBanner SET AdBannerTitle=@AdBannerTitle" _
& ", AdBannerFileUrl=@AdBannerFileUrl" _
& ", AdBannerTargerUrl=@AdBannerTargerUrl" _
& ", AdBannerIsActive=@AdBannerIsActive" _
& " WHERE AdBannerID=@AdBannerID", cnSQL)
cmSQL.CommandType = CommandType.Text;
cmSQL.Parameters.AddWithValue("@AdBannerTitle", txTitle.Text)
cmSQL.Parameters.AddWithValue("@AdBannerFileUrl", "/Images/" & fileUpload.FileName)
cmSQL.Parameters.AddWithValue("@AdBannerTargerUrl", txTargetUrl.Text)
cmSQL.Parameters.AddWithValue("@AdBannerIsActive", chkBox.Checked)
cmSQL.Parameters.AddWithValue("@AdBannerID", lblBannerId.Text)
your single quotes are misplaced. 您的单引号放错了位置。
your code must be 你的代码必须是
cmSQL = New SqlCommand("UPDATE AdBanner SET AdBannerTitle='" & txTitle.Text & "',AdBannerFileUrl='/Images/" & fileUpload.FileName & "',AdBannerTargerUrl='" & txTargetUrl.Text & "',AdBannerIsActive='" & chkBox.Checked & "' WHERE AdBannerID='" & lblBannerId.Text & "'", cnSQL)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.