stackoom
  简体   繁体   中英

Incorrect syntax inserting data into table

 原文  2013-10-20 15:32:49       c#/ .net/ sql-server-2008

Question

I am having some trouble with my update() method. The idea is that the user Provides a recipe name, ingredients, instructions and then selects an image using Filestream.

Once the user clicks 'Add Recipe' this will call the update method, however as things stand I am getting an error which is mentioning the contents of the text box:

在此处输入图片说明

Here is the update() method code: 

 private void updatedata()

        { 
        // filesteam object to read the image
        // full length of image to a byte array

            try
            {
                // try to see if the image has a valid path

                if (imagename != "")
                {

                    FileStream fs;
                    fs = new FileStream(@imagename, FileMode.Open, FileAccess.Read);

                    // a byte array to read the image

                    byte[] picbyte = new byte[fs.Length];
                    fs.Read(picbyte, 0, System.Convert.ToInt32(fs.Length));
                    fs.Close();

                    //open the database using odp.net and insert the lines

                    string connstr = @"Server=mypcname\SQLEXPRESS;Database=RecipeOrganiser;Trusted_Connection=True";

                    SqlConnection conn = new SqlConnection(connstr);
                    conn.Open();
                    string query;
                    query = "insert into Recipes(RecipeName,RecipeImage,RecipeIngredients,RecipeInstructions) values (" + textBox1.Text + "," + " @pic" + "," + textBox2.Text + "," + textBox3.Text + ")";
                    SqlParameter picparameter = new SqlParameter();
                    picparameter.SqlDbType = SqlDbType.Image;
                    picparameter.ParameterName = "pic";
                    picparameter.Value = picbyte;
                    SqlCommand cmd = new SqlCommand(query, conn);
                    cmd.Parameters.Add(picparameter);
                    cmd.ExecuteNonQuery();
                    MessageBox.Show("Image successfully saved");
                    cmd.Dispose();
                    conn.Close();
                    conn.Dispose();
                    Connection();
                }
            }
            catch (Exception ex)
            {
                MessageBox.Show(ex.Message);
            }
        }

Can anyone see where I have gone wrong with the insert into Recipes query or suggest an alternative approach to this part of the code?

3 answers

solution1
 3 ACCPTED  2013-10-20 15:36:28

Your code is open to SQL Injection, but probably your error comes from some text that contains a single quote (the instructions fields for example) and this break your command string build using concatenating the user input.

EDIT As someone pointed in comment the error is caused by the missing quotes around your textboxes. But while easy to fix that's not the way to go because it is wrong to fix the error adding the missing quotes. It is just postponig the problem leaving a big security hole waiting to be exploited.

A parameterized query could avoid all this mess. 

  string connstr = "....";     
  string query = "insert into Recipes(RecipeName,RecipeImage,RecipeIngredients,RecipeInstructions) " + 
          "values (@name, @pic, @ing, @instr)";
  using(SqlConnection conn = new SqlConnection(connstr))
  using(SqlCommand cmd = new SqlCommand(query, conn))
  {
    conn.Open();
    SqlParameter picparameter = new SqlParameter();
    picparameter.SqlDbType = SqlDbType.Image;
    picparameter.ParameterName = "@pic";
    picparameter.Value = picbyte;
    cmd.Parameters.Add(picparameter);
    cmd.Parameters.AddWithValue("@name", textbox1.Text);
    cmd.Parameters.AddWithValue("@ing", textbox2.Text);
    cmd.Parameters.AddWithValue("@instr", textbox3.Text);
    cmd.ExecuteNonQuery();
    MessageBox.Show("Image successfully saved");
  }

solution2
 3  2013-10-20 15:38:52

Since you using string concatenations, you probably missed a quote or you put an extra quote or missed a comma or put extra comma etc etc....

Don't use this way!

Your error doesn't look obviously but you should always use parameterized queries . This kind of string concatenations are open for SQL Injection attacks. 

query = "insert into Recipes(RecipeName,RecipeImage,RecipeIngredients,RecipeInstructions) values (@p1, @pic, @p3, @p4)";
SqlCommand cmd = new SqlCommand(query, conn);
cmd.Parameters.AddWithValue(@p1, textBox1.Text);
cmd.Parameters.AddWithValue(@pic, textBox1.Text);
cmd.Parameters.AddWithValue(@p3, textBox1.Text);
cmd.Parameters.AddWithValue(@p4, picparameter);

solution3
 1  2013-12-12 07:27:53

try this

query = "insert into Recipes(RecipeName,RecipeImage,RecipeIngredients,RecipeInstructions) values ('" + textBox1.Text + "'," + " @pic" + ",'" + textBox2.Text + "','" + textBox3.Text + "')";

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Inserting data into database but getting incorrect syntax error Incorrect syntax near ')'. when inserting data from multiple tables incorrect syntax near the keyword 'Table' when obtaining data from a database System.Data.SqlClient.SqlException: 'Incorrect syntax near the keyword 'Table'.' System.Data.SqlClient.SqlException: 'incorrect syntax near 'table'.' “Incorrect syntax near 'GO'” when inserting values Incorrect syntax near '?' while inserting HTML as NVARCHAR syntax error while inserting data into ms access table Incorrect error near ',' (inserting values into a table) bltoolkit inserting data to a table
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM