stackoom
  简体   繁体   中英

Incorrect Syntax near “”

 原文  2015-01-19 23:32:31       c#/ sql-server

Question

I think my code is correct but why error syntax near 'po_no' check my code please. What is the problem with my code with this kind of error? Do I need to JOIN or two queries? I just want to display the two table using inner join 

try
{
    if (cb_po_search.Text == "")
    {
        MessageBox.Show("Please Enter to Search!");
    }
    else
    {
        string strPRSconn = ConfigurationManager.ConnectionStrings["POSdb"].ConnectionString;

        SqlConnection sc = new SqlConnection(strPRSconn);
        sc.Open();

        string strQry = "SELECT dbo.POMain.po_no, dbo.POMain.issuing_month, dbo.POMain.supplier, dbo.POMain.model, dbo.POMain.category, dbo.POMain.req_number, dbo.POMain.shipment, dbo.POMain.production_month, dbo.POMain.req_time_arrival, dbo.POMain.req_department, dbo.POMain.lead_time, dbo.POMain.order_desc, dbo.POMain.date_emailed, dbo.POMain.date_confirmed, dbo.POMain.date_recieved, dbo.POMain.assumed_arrival, dbo.Shipping.invoice, dbo.Shipping.loading_date, dbo.Shipping.etd, dbo.Shipping.eta_manila, dbo.Shipping.eta_tstech, dbo.Shipping.ata_tstech, dbo.Shipping.shipping_status, dbo.Shipping.remarks FROM dbo.POMain INNER JOIN dbo.Shipping ON dbo.POMain.po_no = dbo.Shipping.po_noWHERE po_no= '" + cb_po_search.Text + "'";

        SqlCommand scmd = new SqlCommand(strQry, sc);

        SqlDataAdapter da = new SqlDataAdapter(strQry, sc);
        DataTable dt = new DataTable();

        SqlDataReader dr = scmd.ExecuteReader();

        while (dr.Read())
        {
            //purchase order
            tb_ponumber2.Text = (dr["po_no"].ToString());
            tb_reqnumber2.Text = (dr["req_number"].ToString());
            cb_supplier2.Text = (dr["supplier"].ToString());
            cb_model2.Text = (dr["model"].ToString());
            cb_category2.Text = (dr["category"].ToString());
            cb_shipment2.Text = (dr["shipment"].ToString());
            ta_description2.Text = (dr["order_desc"].ToString());
            tb_leadtime2.Text = (dr["lead_time"].ToString());
            tb_request2.Text = (dr["req_department"].ToString());

            dt_time_arrival2.Value = DateTime.Parse(dr["req_time_arrival"].ToString());
            dt_arrival2.Value = DateTime.Parse(dr["assumed_arrival"].ToString());
            dt_confirmed2.Value = DateTime.Parse(dr["date_confirmed"].ToString());
            dt_email2.Value = DateTime.Parse(dr["date_emailed"].ToString());
            dt_production_month2.Value = DateTime.Parse(dr["production_month"].ToString());
            dt_recieve2.Value = DateTime.Parse(dr["date_recieved"].ToString());
            dt_issuing_month2.Value = DateTime.Parse(dr["issuing_month"].ToString());
        }
        sc.Close();
   }
}
catch (Exception ex)
{
    MessageBox.Show(ex.Message);
}

1 answers

solution1
 1 ACCPTED  2015-01-19 23:38:41

Your code is asking for an SQL Injection, use parametized queries instead with SqlParameter class.

Edit. Your query have a missing equals sign at the end. Things that woudn't happen using parametized queries ;-)

http://www.csharp-station.com/Tutorial/AdoDotNet/lesson06

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Incorrect syntax near '(' and near '=' Incorrect syntax near '('. Incorrect Syntax Near '='. [WindowsForm] Incorrect syntax near 'value' Incorrect syntax near ',' AseBulkCopy Incorrect Syntax Near 'Student' Incorrect syntax near @ fileid Incorrect syntax near '.' Incorrect syntax near 'mainMenuNum' Incorrect syntax near',',
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM