C# ';关键字';作为'';而我的字符串没有';“我真的没有这个词”;作为「;
我正试图通过C# ';关键字';作为'';而我的字符串没有';“我真的没有这个词”;作为「;,c#,asp.net,sql-server,insert,C#,Asp.net,Sql Server,Insert,我正试图通过SqlCommand将数据插入数据库 这很简单,但我无法理解异常消息: System.Data.SqlClient.SqlException:“关键字“AS”附近的语法不正确” 我的代码: SqlConnection cn = new SqlConnection("**CONNECTION STRING IS WORKING FINE, CHECKED**"); string tsql = "INSERT INTO CAMADA VALUES (" + id + ", " + te
SqlCommand
将数据插入数据库
这很简单,但我无法理解异常消息:
System.Data.SqlClient.SqlException:“关键字“AS”附近的语法不正确”
我的代码:
SqlConnection cn = new SqlConnection("**CONNECTION STRING IS WORKING FINE, CHECKED**");
string tsql = "INSERT INTO CAMADA VALUES (" + id + ", " + team + "," + shift + "," + starttime + "," + jobdate + "," + PM;
SqlCommand cmd = new SqlCommand(tsql,cn);
cmd.CommandType = CommandType.Text;
cn.Open();
cmd.ExecuteNonQuery();
非常感谢您的帮助。您的代码有三个主要问题-
永远不要将带有用户输入的字符串连接到sql中。改用参数。
SqlConnection
的实例,因此可以将其添加或返回到这意味着,如果向表中添加列,或者只是对列重新排序,insert语句将失败并出现错误
请务必阅读并理解这些评论,它们会帮助您。
但是,请注意,我必须猜测参数的数据类型-您可能需要更改它们。
此外,在向数据库发送字符串(
char
/nchar
/varchar
/nvarchar
)或二进制数据(binary
/varbinary
)时,请确保设置参数的大小
// proper spacing and indentations makes the code easier to read thus more maintainable.
// Also, Always specify the columns list in an insert statement.
var tsql = @"INSERT INTO CAMADA (id, team, shift, starttime, jobdate, pm)
VALUES (@id, @team, @shift, @starttime, @jobdate, @pm)";
// use the using statement to ensure the SqlConnection is closed and disposed when done.
// This is important not only because it's an IDispsable, but also because that
// if you don't dispose it, the connection will not return to the connection pool
using(var cn = new SqlConnection("**CONNECTION STRING IS WORKING FINE, CHECKED**"))
{
// SqlCommand is also an IDisposable
using(var cmd = new SqlCommand(tsql,cn))
{
// CommandType.Text is the default, no need to set it explicitly
// Use parameters to avoid all kinds of nasty stuff like SQL injection,
// but also having to handle DateTime string literals formats
cmd.Parameters.Add("@id", SqlDbType.Int).Value = id;
cmd.Parameters.Add("@team", SqlDbType.Int).Value = team;
cmd.Parameters.Add("@shift", SqlDbType.Int).Value = shift;
cmd.Parameters.Add("@starttime", SqlDbType.DateTime).Value = starttime;
cmd.Parameters.Add("@jobdate", SqlDbType.DateTime).Value = jobdate;
// Of course, the size is also a guess...
cmd.Parameters.Add("@pm", SqlDbType.VarChar, 2).Value = pm;
cn.Open();
cmd.ExecuteNonQuery();
}
}
您的代码容易受到攻击。您应该始终在查询中使用参数进行保护。该表上有任何触发器吗?
PM
之后缺少右括号。还可以通过使用参数化查询来避免SQL注入。查看异常消息。然后打开异常对象。有一个信息,表明您的查询字符串有问题。如果查看查询字符串,它可能看起来像是插入CAMADA值(“42”、“red_团队”、“5”、“01-01-2018”、“10:00”、“true”),您会发现,您忘记了关闭括号。您还错过了将字符串和日期时间文字括在单引号中。参数化查询将避免这样做。