1. 首页
  2. 问答
  3. 语法错误的MySQL

语法错误的MySQL

2014-10-05 73 views
0

错误:语法错误的MySQL

Incorrect Syntax near 's'. unclosed quotation mark after the charater string ');'.

代码:

private void btnAdd_Click(object sender, EventArgs e) 
{ 
    SqlConnection cn = new SqlConnection(global::CIMT.Properties.Settings.Default.Database2ConnectionString); 

    try 
    { 
     string sql = "INSERT INTO Students(Student_Id,First_Name,Last_Name,Fathers_Name,DOB,Mobile,Address,Post_Code) VALUES('"+this.txtId.Text+"','"+this.txtFName.Text+"','"+this.txtLName.Text+"','"+this.txtFaName.Text+"','"+this.txtDOB.Text+"','"+this.txtMob.Text+"','"+this.txtAddress.Text+"','"+this.txtPostCode.Text+ "');"; 
     SqlCommand exesql = new SqlCommand(sql, cn); 
     cn.Open(); 
     exesql.ExecuteNonQuery(); 

     MessageBox.Show("Add new record done !!" , "Message" , MessageBoxButtons.OK , MessageBoxIcon.Information); 
     this.studentsTableAdapter.Fill(this.database2DataSet.Students); 
    } 

    catch (Exception ex) 
    { 
     MessageBox.Show(ex.Message , "Error", MessageBoxButtons.OK, MessageBoxIcon.Error); 
    } 

    finally 
    { 
     cn.Close(); 
    } 
}

来源

2014-10-05 user3430044

+4

这种做法容易受到SQL注入。请为我们所有的努力,参数化您的查询。这几乎肯定会解决这个语法错误。 – 2014-10-05 08:52:05

+3

如果您获得的输入信息是“hello's world”,那么它不会被转义,并且出现错误,所以如上所述(SQL注入),最好使用参数化查询。 – 2014-10-05 08:53:17

+1

[给我参数化的SQL,或给我死亡](http://blog.codinghorror.com/give-me-parameterized-sql-or-give-me-death/) – 2014-10-05 08:56:54

回答

1

使用参数化类的家伙查询告诉你的意见,不但会避免错误,但它会也可以帮助您避免SQL注入。

private void btnAdd_Click(object sender, EventArgs e) 
{ 
    var cnString = global::CIMT.Properties.Settings.Default.Database2ConnectionString; 
    using (SqlConnection cn = new SqlConnection(cnString)) 
    { 
     try 
     { 
      cn.Open(); 
      using (var exesql = new SqlCommand(
         @"INSERT INTO Students(Student_Id 
              ,First_Name 
              ,Last_Name 
              ,Fathers_Name 
              ,DOB 
              ,Mobile 
              ,Address 
              ,Post_Code) 
         VALUES(@Student_Id 
           ,@First_Name 
           ,@Last_Name 
           ,@Fathers_Name 
           ,@DOB 
           ,@Mobile 
           ,@Address 
           ,@Post_Code);", 
      cn)) 
      { 
       exesql.Parameters.AddWithValue("@Student_Id", this.txtId.Text); 
       exesql.Parameters.AddWithValue("@First_Name", this.txtFName.Text); 
       exesql.Parameters.AddWithValue("@Last_Name",this.txtLName.Text); 
       exesql.Parameters.AddWithValue("@Fathers_Name", this.txtFaName.Text); 
       exesql.Parameters.AddWithValue("@DOB", this.txtDOB.Text); 
       exesql.Parameters.AddWithValue("@Mobile", this.txtMob.Text); 
       exesql.Parameters.AddWithValue("@Address", this.txtAddress.Text); 
       exesql.Parameters.AddWithValue("@Post_Code", this.txtPostCode.Text); 

       exesql.ExecuteNonQuery(); 

       MessageBox.Show("Add new record done !!" , "Message" , MessageBoxButtons.OK 
           , MessageBoxIcon.Information); 
       this.studentsTableAdapter.Fill(this.database2DataSet.Students); 
      } 
     } 
     catch (Exception ex) 
     { 
      MessageBox.Show(ex.Message , "Error", MessageBoxButtons.OK, MessageBoxIcon.Error); 
     } 
    } 
}

阅读了关于SqlParameter Class

来源

2014-10-05 21:15:55 meda

相关问题

 相关问题