stackoom
  简体   繁体   中英

Message: Incorrect syntax near 'ID'

 原文  2017-02-16 09:56:28       c#/ sql/ syntax-error

Question

Can I ask why a pop-up message pops up with an error near the ID ?, I find no solution for this. It just pops up this message after i click the button.

Message: Incorrect syntax near 'ID' 

public override bool fnSaveNewRecord()
{
    DataSet _ds;
    string _sql;
    object _obj;

    _sql = "INSERT INTO do_information(die_class_code,subinvetory_code,contact_code,company_code, " +
           "corg_code,created_on,created_by) " +
           "VALUES '" + txt_CodeID.Text.Trim() + "','" + cbx_SubInventoryCode.Text + "'," + 
           "'" + cbx_ContactCode.Text + "','" + cbx_CompanyCode.Text + "','" + cbx_CorgCode.Text + "','" +
           "',GETDATE(),'" + App_Common._USER_CODE + "'";

    _ds = new DataSet();
    _obj = new SqlDatabase(App_Common._WSFCSConnStr) as SqlDatabase;
    _ds = ((SqlDatabase)_obj).ExecuteDataSetQ(_sql);

    return base.fnSaveNewRecord();
}

3 answers

solution1
 3  2017-02-16 10:06:13

Try using this query: 

_sql = "INSERT INTO do_information(die_class_code,subinvetory_code,contact_code,company_code, " +
                "corg_code,created_on,created_by) " +
                "VALUES( '" + txt_CodeID.Text.Trim() + "','" + cbx_SubInventoryCode.Text + "'," + 
                "'" + cbx_ContactCode.Text + "','" + cbx_CompanyCode.Text + "','" + cbx_CorgCode.Text + "','" +
                "',GETDATE(),'" + App_Common._USER_CODE + "'"+ "')'";

You have missed using the brackets for Values(v1,v2) as @Peter B commented.
have a look at this link for reference of SQL insert statement.

And it is always better to use parameterized queries than concatenated strings because, it is prone to SQL Injection Attacks.
Here is a reference for using parameterized queries.

Hope this helps!

solution2
 3  2017-02-16 13:42:35

Your SQL statement is wrong because of the missing brackets for the values.

The code is very messed up and it is hard to see that at the first sight. So you better use parameters to have a more clean statement you can easily read and check for syntax errors: 

INSERT INTO do_information 
    ( die_class_code, subinventory_code, contact_code, company_code, corg_code, created_on, created_by ) 
VALUES 
    ( @CodeId, @SubInventoryCode, @ContactCode, @CompanyCode, @CorgCode, GETDATE(), @UserCode )

But you can even do more to get this code clean. Wrap all your queries. Here an example for your statement:

Starting with some reusable base declarations 

public interface IExecuteQuery
{
    int Execute();
    Task<int> ExecuteAsync( CancellationToken cancellationToken );
}

public abstract class SqlExecuteQuery : IExecuteQuery
{
    private readonly DbConnection _connection;
    private readonly Lazy<DbCommand> _command;

    protected SqlExecuteQuery( DbConnection connection )
    {
        if ( connection == null )
            throw new ArgumentNullException( nameof( connection ) );
        _connection = connection;
        _command = new Lazy<DbCommand>(
            () =>
            {
                var command = _connection.CreateCommand( );
                PrepareCommand( command );
                return command;
            } );
    }

    protected abstract void PrepareCommand( DbCommand command );

    protected DbCommand Command => _command.Value;

    protected virtual string GetParameterNameFromPropertyName( string propertyName )
    {
        return "@" + propertyName;
    }

    protected T GetParameterValue<T>( [CallerMemberName] string propertyName = null )
    {
        object value = Command.Parameters[ GetParameterNameFromPropertyName( propertyName ) ].Value;
        if ( value == DBNull.Value )
        {
            value = null;
        }
        return (T) value;
    }

    protected void SetParamaterValue<T>( T newValue, [CallerMemberName] string propertyName = null )
    {
        object value = newValue;
        if ( value == null )
        {
            value = DBNull.Value;
        }
        Command.Parameters[ GetParameterNameFromPropertyName( propertyName ) ].Value = value;
    }

    protected virtual void OnBeforeExecute() { }

    public int Execute()
    {
        OnBeforeExecute( );
        return Command.ExecuteNonQuery( );
    }

    public async Task<int> ExecuteAsync( CancellationToken cancellationToken )
    {
        OnBeforeExecute( );
        return await Command.ExecuteNonQueryAsync( cancellationToken );
    }
}

public static class DbCommandExtensions
{
    public static DbParameter AddParameter( this DbCommand command, Action<DbParameter> configureAction )
    {
        var parameter = command.CreateParameter( );
        configureAction( parameter );
        command.Parameters.Add( parameter );
        return parameter;
    }
}

Now define an interface for your statement 

public interface IInsertInformationQuery : IExecuteQuery
{
    string CodeId { get; set; }
    string SubInventoryCode { get; set; }
    string ContactCode { get; set; }
    string CompanyCode { get; set; }
    string CorgCode { get; set; }
    string UserCode { get; }
}

The implementation 

public class SqlInsertInformationQuery : SqlExecuteQuery, IInsertInformationQuery
{
    public SqlInsertInformationQuery( DbConnection connection ) : base( connection )
    {
    }

    protected override void OnBeforeExecute()
    {
        UserCode = App_Common._USER_CODE; // this should be injected
    }

    protected override void PrepareCommand( DbCommand command )
    {
        command.CommandText =
            @"INSERT INTO do_information ( die_class_code, subinventory_code, contact_code, company_code, corg_code, created_on, created_by ) " +
            @"VALUES ( @CodeId, @SubInventoryCode, @ContactCode, @CompanyCode, @CorgCode, GETDATE(), @UserCode )";

        command.AddParameter( p =>
        {
            p.ParameterName = "@CodeId";
            p.DbType = System.Data.DbType.String;
            p.Direction = System.Data.ParameterDirection.Input;
        } );
        command.AddParameter( p =>
        {
            p.ParameterName = "@SubInventoryCode";
            p.DbType = System.Data.DbType.String;
            p.Direction = System.Data.ParameterDirection.Input;
        } );
        command.AddParameter( p =>
        {
            p.ParameterName = "@ContactCode";
            p.DbType = System.Data.DbType.String;
            p.Direction = System.Data.ParameterDirection.Input;
        } );
        command.AddParameter( p =>
        {
            p.ParameterName = "@CompanyCode";
            p.DbType = System.Data.DbType.String;
            p.Direction = System.Data.ParameterDirection.Input;
        } );
        command.AddParameter( p =>
        {
            p.ParameterName = "@CorgCode";
            p.DbType = System.Data.DbType.String;
            p.Direction = System.Data.ParameterDirection.Input;
        } );
        command.AddParameter( p =>
        {
            p.ParameterName = "@UserCode";
            p.DbType = System.Data.DbType.String;
            p.Direction = System.Data.ParameterDirection.Input;
        } );
    }

    public string CodeId
    {
        get => GetParameterValue<string>( );
        set => SetParamaterValue( value );
    }
    public string SubInventoryCode
    {
        get => GetParameterValue<string>( );
        set => SetParamaterValue( value );
    }
    public string ContactCode
    {
        get => GetParameterValue<string>( );
        set => SetParamaterValue( value );
    }
    public string CompanyCode
    {
        get => GetParameterValue<string>( );
        set => SetParamaterValue( value );
    }
    public string CorgCode
    {
        get => GetParameterValue<string>( );
        set => SetParamaterValue( value );
    }

    public string UserCode
    {
        get => GetParameterValue<string>( );
        private set => SetParamaterValue( value );
    }

}

Finally your code would look like 

public override bool fnSaveNewRecord()
{
    var database = new SqlDatabase(App_Common._WSFCSConnStr);
    using ( var connection = database.CreateConnection() )
    {
        connection.Open();
        IInsertInformationQuery query = new SqlInserInformationQuery( connection );

        query.CodeId = txt_CodeID.Text.Trim();
        query.SubInventoryCode = cbx_SubInventoryCode.Text;
        query.ContactCode = cbx_ContactCode.Text;
        query.CompanyCode = cbx_CompanyCode.Text;
        query.CorgCode = cbx_CorgCode.Text;

        var recordsAffected = query.Execute();
    }
    return base.fnSaveNewRecord();
}

solution3
 0  2017-02-16 10:02:34

Your SQL query is wrong: 

  _sql = "INSERT INTO do_information(die_class_code,subinvetory_code,contact_code,company_code, " +
                "corg_code,created_on,created_by) " +
                "VALUES ('" + txt_CodeID.Text.Trim() + "','" + cbx_SubInventoryCode.Text + "'," + 
                "'" + cbx_ContactCode.Text + "','" + cbx_CompanyCode.Text + "','" + cbx_CorgCode.Text + "','" +
                "',GETDATE(),'" + App_Common._USER_CODE + "')";

Your values have to be in brackets. Have a look at this:

https://www.w3schools.com/sql/sql_insert.asp

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Incorrect Syntax Near 'ID' Incorrect syntax near '(' and near '=' Message=Incorrect syntax near ')'. Source=Core .Net SqlClient Data Provider Incorrect syntax near '('. Incorrect Syntax Near '='. [WindowsForm] Incorrect syntax near 'value' Incorrect syntax near ',' AseBulkCopy Incorrect Syntax Near 'Student' Incorrect syntax near @ fileid Incorrect syntax near '.'
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM