我执行UPDATE
或与WHERE
声明INSERT
命令,我已经得到了这个错误:火鸟未知令牌哪里
这里是我的代码:
private void dataGridView1_CellEndEdit(object sender, DataGridViewCellEventArgs e)
{
try
{
FbConnection con = new FbConnection(@"User = SYSDBA; Password = masterkey; Database = D:\TDWORK.fdb; DataSource = localhost; Port = 3050; Dialect = 3; Charset = NONE; Role = admin; Connection lifetime = 15; Pooling = true; MinPoolSize = 0; MaxPoolSize = 50; Packet Size = 8192; ServerType = 0; ");
FbCommand cmd = new FbCommand("UPDATE OR INSERT INTO ZAPOSLENI (ULOGA) VALUES (" + dataGridView1.Rows[e.RowIndex].Cells[e.ColumnIndex].Value.ToString() + ") WHERE ZAPID = " + dataGridView1.Rows[e.RowIndex].Cells[0].Value + " ", con);
con.Open();
cmd.ExecuteNonQuery();
con.Close();
}
catch (Exception ex)
{
MessageBox.Show(ex.ToString());
}
}
这里是如何命令看起来像调试器在其中插入值时:
UPDATE OR INSERT INTO ZAPOSLENI (ULOGA) VALUES (1) WHERE ZAPID = 0
您当前的代码是不安全的,因为它是开放的SQL注入。你应该真的使用参数。 –
你是什么意思 – Pacijent
你将值连接到查询字符串中,这是不安全的。您需要使用参数,请参阅示例[此答案](http://stackoverflow.com/a/10438372/466862) –