Asp.net 查询中出现语法错误(缺少运算符)
我正在尝试向正在构建的站点添加评论。由于审查的内容分为3个表,我试图在数据库中为一次审查执行3次插入。当我运行该页面时,它会显示出来,因此我知道它大部分都在工作,但当我单击“提交”按钮时,我会看到:Asp.net 查询中出现语法错误(缺少运算符),asp.net,sql,vb.net,Asp.net,Sql,Vb.net,我正在尝试向正在构建的站点添加评论。由于审查的内容分为3个表,我试图在数据库中为一次审查执行3次插入。当我运行该页面时,它会显示出来,因此我知道它大部分都在工作,但当我单击“提交”按钮时,我会看到: Syntax error (missing operator) in query expression '3')'' error message. 这意味着问题在于这一行代码: Line 86: dbInsert.ExecuteNonQuery() 这是我为本节编写的代码: D
Syntax error (missing operator) in query expression '3')'' error message.
Line 86: dbInsert.ExecuteNonQuery()
Dim sql As String = "INSERT INTO MovieReviews (MovieID, MReviewID, ReviewerType, ReviewDate, UserID) "
sql = sql & " VALUES ('" & movID & "','" & review_id & "','" & 2 & "','" & Date.Now & "'," & uID & "')'"
Dim sql2 As String = "INSERT INTO MReviewRatings (MReviewID, ValueForMoney, ActingAbility, SpecialEffects, Plot, Total) "
sql2 = sql2 & " VALUES ('" & movID & "','" & moneyStar(moneyStarRating) & "','" & actingStar(actingStarRating) & "','" & effectsStar(effectStarRating) & "','" & plotStar(plotStarRating) & "','" & totalStar(avg) & "')'"
Dim sql3 As String = "INSERT INTO MReviewTexts (MReviewID, ReviewText) "
sql3 = sql3 & " VALUES ('" & review_id & "','" & txtReviewText.Text & "')'"
dbInsert.CommandText = sql
dbInsert.CommandType = CommandType.Text
dbInsert.Connection = aConnection
dbInsert2.CommandText = sql2
dbInsert2.CommandType = CommandType.Text
dbInsert2.Connection = aConnection
dbInsert3.CommandText = sql3
dbInsert3.CommandType = CommandType.Text
dbInsert3.Connection = aConnection
dbInsert.ExecuteNonQuery()
dbInsert2.ExecuteNonQuery()
dbInsert3.ExecuteNonQuery()
我不确定是什么导致了这个问题。有人知道如何将评论插入数据库吗?这一行似乎在末尾缺少一个引号(就在
uID假设所有文件都是Varchar
Dim sql As String = "INSERT INTO MovieReviews (MovieID, MReviewID, ReviewerType, ReviewDate, UserID) "
sql = sql & " VALUES ('" & movID & "','" & review_id & "','" & 2 & "','" & Date.Now & "','" & uID & "')"
Dim sql2 As String = "INSERT INTO MReviewRatings (MReviewID, ValueForMoney, ActingAbility, SpecialEffects, Plot, Total) "
sql2 = sql2 & " VALUES ('" & movID & "','" & moneyStar(moneyStarRating) & "','" & actingStar(actingStarRating) & "','" & effectsStar(effectStarRating) & "','" & plotStar(plotStarRating) & "','" & totalStar(avg) & "')"
Dim sql3 As String = "INSERT INTO MReviewTexts (MReviewID, ReviewText) "
sql3 = sql3 & " VALUES ('" & review_id & "','" & txtReviewText.Text & "')"
在你的陈述末尾有一个额外的单引号 此时,字符串将产生类似于
insert into (x,y,z) values ('a','b','c')'
sql = sql & " VALUES ('" & movID .... uID & "')'"
insert into (x,y,z) values ('a','b','c')'
sql = sql & " VALUES ('" & movID .... uID & "')'"
“作为旁注,如果列是基于数字的,则不需要将值放在单引号中
您还应该考虑使用来防止,通过以这种方式实现代码,您将自己暴露于SQL注入攻击中,正如freefaller所指出的那样 您最好将您的查询写为:
Dim sql As String = "INSERT INTO MovieReviews (MovieID, MReviewID, ReviewerType, ReviewDate, UserID) " & _
" VALUES (@movID,@review_id,@reviewerType,@timestamp,@userid)"
dbInsert.CommandText = sql
dbInsert.CommandType = CommandType.Text
dbInsert.Connection = aConnection
dbInsert.Parameters.Add(New SQLParameter("@movID",movID))
dbInsert.Parameters.Add(New SQLParameter("@review_id",review_id ))
dbInsert.Parameters.Add(New SQLParameter("@reviewerType",2))
dbInsert.Parameters.Add(New SQLParameter("@timestamp",Date.Now))
dbInsert.Parameters.Add(New SQLParameter("@userid",uID))
dbInsert.ExecuteNonQuery()
其余的查询可以得到类似的处理。此更改不仅可以保护您免受SQL注入攻击,还可以使您的数据访问层代码更易于管理。如果我是您,我会注销SQL的值并查看它以确定问题。或者如果UID是
int之前有最后一个”
)Dim sql As String = "INSERT INTO MovieReviews (MovieID, MReviewID, ReviewerType, ReviewDate, UserID) " & _
" VALUES (@movID,@review_id,@reviewerType,@timestamp,@userid)"
dbInsert.CommandText = sql
dbInsert.CommandType = CommandType.Text
dbInsert.Connection = aConnection
dbInsert.Parameters.Add(New SQLParameter("@movID",movID))
dbInsert.Parameters.Add(New SQLParameter("@review_id",review_id ))
dbInsert.Parameters.Add(New SQLParameter("@reviewerType",2))
dbInsert.Parameters.Add(New SQLParameter("@timestamp",Date.Now))
dbInsert.Parameters.Add(New SQLParameter("@userid",uID))
dbInsert.ExecuteNonQuery()