请帮助从 C# 的文本框中找出这个数据库更新语句有什么问题

Question

comm.CommandText =
        "UPDATE studbiodata([Registration Number], Surname, Othernames, Email,"
      + " Phone, Address, Sex, [Birth Date], Religion, [Marital Status],"
      + " [No. of Children], [Next of Kin], Relationship, [Next of Kin Address])"
      + "SET ([Registration Number] ='" + txtRegNo.Text
      + "', Surname = '" + txtSurname.Text
      + "', Othernames = '" + txtOthernames.Text
      + "', Email = '" + txtEmail.Text
      + "', Phone = '" + txtPhone.Text
      + "', Address = '" + txtMainAdd.Text
      + "', Sex = '" + txtSex.Text
      + "', [Birth Date]= '" + txtBirthDate.Text
      + "', Religion = '" + txtReligion.Text
      + "', [Marital Status]= '" + txtMarital.Text
      + "', [No.of Children] = '" + txtChildren.Text
      + "', [Next of Kin]= '" + txtKin.Text
      + "', Relationship ='" + txtRelationship.Text
      + "', [Next of Kin Address]= '" + txtKinAdd.Text
      + "' WHERE [Registration Number]= '" + txtRegNo.Text + "')";

尝试从网络表单更新后收到的错误消息是：

 System.Data.SqlClient.SqlException (0x80131904): Incorrect syntax near '('. Incorrect syntax near the keyword 'SET'.
 at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection)
 at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection)
 at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning()
 at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)
 at System.Data.SqlClient.SqlCommand.RunExecuteNonQueryTds(String methodName, Boolean async)
 at System.Data.SqlClient.SqlCommand.InternalExecuteNonQuery(DbAsyncResult result, String methodName, Boolean sendToPipe)
 at System.Data.SqlClient.SqlCommand.ExecuteNonQuery()
 at Transcript.studentprofileedit.btnUpdate_Click(Object sender, EventArgs e)
 in C:\Users\Administrator.femzy-PC\Documents\Visual Studio 2010\Projects\Transcript Reloaded\Transcript\studentprofileedit.aspx.cs:line 119

Answer 1

我看到的第一件事是错误的，这是一个经典示例，说明如何使您的网站容易受到 SQL 注入的攻击。 这正是不使用用户输入编写 sql 语句的方法。

可能正在发生的事情是用户正在输入带有单引号（撇号）的内容并且它与语句混淆。

https://www.owasp.org/index.php/SQL_injection

http://en.csharp-online.net/ASP.NET_Security_Hacks%E2%80%94Avoiding_SQL_Injection

使用参数化查询或带参数的存储过程作为绝对的第一步。 这将消除由意外用户输入引起的错误（例如，“O'Connor”作为姓氏会导致以这种方式编码的语句中的错误）。 然后如果还有问题，go 回来看看声明。 您可以使用用户输入（几乎每个程序都可以）——您只需要安全地进行即可。

（最后一次编辑 - 一篇好文章）

http://www.codinghorror.com/blog/2005/04/give-me-parameterized-sql-or-give-me-death.html

Answer 2

语法错误，不需要先指定列列表。

UPDATE studbiodatarital SET [Registration Number] ='" + txtRegNo.Text + "', Surname = '" + txtSurname.Text + "', Othernames = '" + txtOthernames.Text + "', Email = '" + txtEmail.Text + "', Phone = '" + txtPhone.Text + "', Address = '" + txtMainAdd.Text + "', Sex = '" + txtSex.Text + "', [出生日期]= '" + txtBirthDate。 Text + "', Religion = '" + txtReligion.Text + "', [婚姻状况]= '" + txtMarital.Text + "', [No.of Children] = '" + txtChildren.Text + "', [近亲]= '" + txtKin.Text + "', 关系 ='" + txtRelationship.Text + "', [近亲地址]= '" + txtKinAdd.Text + "' WHERE [注册号]= ' " + txtRegNo.Text + "')