[英]Syntax error with inserting sql into access db using C# and asp.net
我收到了错误
cmd.ExecuteNonQuery();
这说
INSERT INTO语句中的语法错误
我认为我的查询应该是有效的,我不明白这个问题,而且我已经工作了好几个小时。 这是正确的顺序,并围绕Users
放置[]
不适合我,将不胜感激。
<%@ Page Language ="C#" %>
<%@ Import Namespace="System.Data" %>
<%@ Import Namespace="System.Data.OleDb" %>
<script runat="server">
protected void Page_Load()
{
String username = Request.Form["username"];
String email = Request.Form["email"];
String password = Request.Form["password1"];
var age = Request.Form["age"];
String country = Request.Form["country"];
String hobbie = Request.Form["skin"];
String sql;
sql = "INSERT INTO Users(UserName, Email, Password, Age, Country, Hobbie) VALUES('" + username + "','" + email + "','" + password + "'," + age + ",'" + country + "','" + skin + "')";
String Path = Server.MapPath("App_Data/Users.accdb");
String connStr = "Provider=Microsoft.ACE.OLEDB.12.0;Data Source="+Path;
OleDbConnection conn = new OleDbConnection(connStr);
conn.Open();
OleDbCommand cmd = new OleDbCommand(sql, conn);
cmd.ExecuteNonQuery();
conn.Close();
}
PASSWORD是MS-Access的保留关键字。 用方括号括起来
sql = "INSERT INTO Users(UserName, Email, [Password] ....
但是,请更改该sql文本以使用参数化查询。 此外,如果您能够使用实际值发送此命令,则查询仍然对Sql Injection漏洞开放,并且当您的输入字符串包含单引号时可能会出现解析问题
sql = @"INSERT INTO Users(UserName, Email, [Password], Age, Country, Hobbie)
VALUES(?,?,?,?,?,?)";
....
OleDbCommand cmd = new OleDbCommand(sql, conn);
cmd.Parameters.AddWithValue("@p1", username);
.... and so on for the other 5 parameters required by the query ....
我认为密码是一个保留字。 使用像[密码]
试试这个
sql = "INSERT INTO Users(UserName,Email,[Password],Age,Country,Hobbie) VALUES('" + username + "','" + email + "','" + password + "'," + age + ",'" + country + "','" + skin + "')";
这不是推荐的。 使用参数化查询。 如下:
sql = "INSERT INTO Users(UserName, Email, [Password], Age, Country, Hobbie)
VALUES(@UserName,@Email,@Password,@Age,@Country,@Hobbie)";
OleDbCommand cmd = new OleDbCommand(sql, conn);
cmd.Connection = conn;
cmd.CommandType = CommandType.Text;
cmd.Parameters.AddWithValue("@UserName", username);
cmd.Parameters.AddWithValue("@Email", Email);
cmd.Parameters.AddWithValue("@Password", Password);
cmd.Parameters.AddWithValue("@Age", Age);
cmd.Parameters.AddWithValue("@Country", Country);
cmd.Parameters.AddWithValue("@Hobbie", Hobbie);
使用[密码]而不是密码
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.