[英]C# connection with SQL
[WebMethod]
public void RegisterStudent(string Name, string Gender, int Marks)
{
string connectionString =
"Data Source =SAJID-PC\\SQLEXPRESS;Initial Catalog=Design;Integrated Security=True";
SqlConnection con = new SqlConnection(connectionString);
con.Open();
String query = "INSERT INTO Students VALUES + ('" + Name + "', '" + Gender + "'," + Marks + ")";
SqlCommand sqlcom = new SqlCommand(query, con);
sqlcom.ExecuteNonQuery();
con.Close();
}
調用該方法時出現此錯誤:
System.Data.SqlClient.SqlException:“+”附近的語法不正確。 在 System.Data.SqlClient.SqlConnection.OnError(SqlException 異常,Boolean breakConnection,Action1 wrapCloseInAction) 在 System.Data.SqlClient.SqlInternalConnection.OnError(SqlException 異常,Boolean breakConnection,Action1 wrapCloseInAction) 在 System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning (TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose) at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior) System.Data.SqlClient.SqlCommand.InternalExecuteNonQuery(TaskCompletionSource`1 completion, String methodName, Boolean sendToPipe, Int32 timeout, Boolean asyncWrite) at System.Data.SqlClient.SqlCommand.ExecuteNonQuery 的 String methodName、Boolean async、Int32 超時、Boolean asyncWrite) () 在 Assignment4Web.StudentService.RegisterStu dent(String Name, String Gender, Int32 Marks) in c:\\users\\sajid\\documents\\visual studio 2010\\Projects\\Assignment4Web\\Assignment4Web\\StudentService.asmx.cs:line 56
在Values
之后刪除不必要的+
並在Marks
周圍添加'
,如下所示:
String query = "INSERT INTO Students VALUES ('" + Name + "', '" + Gender + "','" + Marks + "')";
盡管您應該始終使用parameterized queries
來避免SQL Injection
。 像這樣的東西:
SqlCommand sqlcom = new SqlCommand("INSERT INTO Students VALUES(@Name ,@Gender,@Marks");
cmd.Parameters.AddWithValue("@Name",Name);
cmd.Parameters.AddWithValue("@Gender",Gender);
cmd.Parameters.AddWithValue("@Marks",Marks);
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.