0
错误:语法错误的MySQL
Incorrect Syntax near 's'. unclosed quotation mark after the charater string ');'.
代码:
private void btnAdd_Click(object sender, EventArgs e)
{
SqlConnection cn = new SqlConnection(global::CIMT.Properties.Settings.Default.Database2ConnectionString);
try
{
string sql = "INSERT INTO Students(Student_Id,First_Name,Last_Name,Fathers_Name,DOB,Mobile,Address,Post_Code) VALUES('"+this.txtId.Text+"','"+this.txtFName.Text+"','"+this.txtLName.Text+"','"+this.txtFaName.Text+"','"+this.txtDOB.Text+"','"+this.txtMob.Text+"','"+this.txtAddress.Text+"','"+this.txtPostCode.Text+ "');";
SqlCommand exesql = new SqlCommand(sql, cn);
cn.Open();
exesql.ExecuteNonQuery();
MessageBox.Show("Add new record done !!" , "Message" , MessageBoxButtons.OK , MessageBoxIcon.Information);
this.studentsTableAdapter.Fill(this.database2DataSet.Students);
}
catch (Exception ex)
{
MessageBox.Show(ex.Message , "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
}
finally
{
cn.Close();
}
}
这种做法容易受到SQL注入。请为我们所有的努力,参数化您的查询。这几乎肯定会解决这个语法错误。 – 2014-10-05 08:52:05
如果您获得的输入信息是“hello's world”,那么它不会被转义,并且出现错误,所以如上所述(SQL注入),最好使用参数化查询。 – 2014-10-05 08:53:17
[给我参数化的SQL,或给我死亡](http://blog.codinghorror.com/give-me-parameterized-sql-or-give-me-death/) – 2014-10-05 08:56:54