Inserting array into SQL Server database problems
Question
I'm attempting to insert an array into a SQL Server database. 1/4 is copied to the database before I receive the error:
Incorrect syntax near 's'. Unclosed quotation mark after the character string ', ')'.
Here is the button click event -
private void button3_Click(object sender, EventArgs e)
{
SqlConnection sql = new SqlConnection("server=localhost; uid=xxxx; pwd=xxxx; database=Movies;");
sql.Open();
for (int i = 0; i < jointArray.Length; i++)
{
SqlCommand command = new SqlCommand("insert into [" + folderName + "] " + "values('" + jointArray[i].ToString() +"', '')", sql);
command.ExecuteNonQuery();
}
sql.Close();
}
6 answers
solution1
4 ACCPTED 2011-06-15 11:54:19
I would hazard a guess that a 1/4 of the way through jointArray[i].ToString() contains an apostrophe.
So instead of a SQL query that looks like this..
insert into [MyFolder] values('MyValue')
you end up with something that looks like this
insert into [MyFolder] values('MyValue's')
which causes the error (notice where incorrect syntax near the s is!)
Please consider using parameters with your SQLCommand (look up Parameters.Add and Parameters.AddWithValue ).
Using Parameters makes your code
- More readable
- Easier to debug
- Less prone to SQL injection attacks (which recently got Sony Pictures hacked)
solution2
3 2011-06-15 11:54:50
Looks like you might have apostrophes in your data, which is messing up your query.
This is a really bad approach. Unless you can guarantee that your data won't have any unexpected characters, you should be using SQL parameters at the very least to ensure they are interpreted correctly.
solution3
2 2011-06-15 11:56:56
你的一个数组元素很可能包含一个撇号。
solution4
2 2011-06-15 11:57:15
The problem is that you don't encode the string properly to be a string literal in SQL. When there is an apostrophe in the string it will break the syntax.
You should use a parameter instead of concatenating the string into the SQL code.
This will also allow you to reuse the same query and command object for all queries, instead of creating a new command for each query. You can also call Prepare on the command before the loop to reduce some of the overhead for each execution.
Example:
private void button3_Click(object sender, EventArgs e) {
using (SqlConnection sql = new SqlConnection("server=localhost; uid=xxxx; pwd=xxxx; database=Movies;")) {
sql.Open();
using (SqlCommand command = new SqlCommand("insert into [" + folderName + "] values(@P, '')", sql) {
SqlParameter param = command.Parameters.Add("@P", SqlDbType.VarChar, 50);
command.Prepare();
for (int i = 0; i < jointArray.Length; i++) {
param.Value = jointArray[i].ToString();
command.ExecuteNonQuery();
}
}
}
}
solution5
1 2011-06-15 11:53:11
检查SQL转义字符,例如'
solution6
1 2011-06-15 11:53:32
Somewhere in your values you have an unescaped single quote. Prob something like this should quick fix it.
SqlCommand command = new SqlCommand("insert into [" + folderName + "] " + "values('" + jointArray[i].ToString().Replace("'", "''") +"', '')", sql);
EDIT Oops, paste error! Pasted what you had.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.