[英]insert into database
我确保所有内容都与数据库中的列类型有关,但是我一直在获取SQLCeException。 谁能告诉我这段代码有什么问题吗?
private void ANDPaddDriverButton_Click(object sender, EventArgs e)
{
string first = ANDPfirstNametextBox.Text;
string last = ANDPlastNametextBox.Text;
string mid = textBox5.Text;
string phone = ANDPphonetextBox.Text;
string social = ANDPsSNtextBox.Text;
// EmployeeType="Employee"
string city = ANDPCityTextbox.Text;
string state = ANDPStatetextBox.Text;
string zip = ANDPzipCodetextbox.Text;
string email = ANDPemailtextBox.Text;
string address = ANDPaddressTextBox.Text;
string user = userName.Text;
DBConn.Open();
SqlCeCommand cmd = new SqlCeCommand("INSERT INTO [Employee Table] VALUES (" +
first + "," + last + "," + mid + "," + address + "," + phone + "," + social + ","
+ "Employee" + "," + city + "," + state + "," + zip + "," + email + "," + userName + ")", DBConn);
cmd.ExecuteNonQuery();
DBConn.Close();
}
使用参数来防止SQL注入和列名,因为您依赖于表列的数量和顺序,将来它可能会改变(我猜这些列名):
SqlCeCommand cmd = new SqlCeCommand("INSERT INTO [Employee Table] (First, Last, Mid, Address, Phone, Social, Employee, City, State, Zip, Email, UserName) VALUES (@First, @Last, @Mid, @Address, @Phone, @Social, @Employee, @City, @State, @Zip, @Email, @UserName)", DBConn);
cmd.Parameters.AddWithValue("@First", first);
cmd.Parameters.AddWithValue("@Last", last);
cmd.Parameters.AddWithValue("@Mid", mid);
cmd.Parameters.AddWithValue("@Address", address);
cmd.Parameters.AddWithValue("@Phone", phone);
// etc. each column
顺便说一句,不要在表名和列名中使用空格;-)
您的string / varchar类型的字段必须用单引号引起来!
SqlCeCommand cmd = new SqlCeCommand("INSERT INTO [Employee Table] VALUES (" +
"'" + first + "',"
等等...
另外,正如其他人已经评论过的那样,您将极大地使您的代码遭受SQL注入攻击
正如Lorenzo所说,字符串值必须用单引号引起来,但是请阅读此页 ,它解释了为什么您不应该以这种方式构建查询,并向您展示了如何使用参数。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.