C# 消息:“ID”附近的语法不正确
我可以问一下为什么在ID附近会弹出一条带有错误的弹出消息吗?我找不到解决方法。单击按钮后,它会弹出此消息 消息:“ID”附近的语法不正确C# 消息:“ID”附近的语法不正确,c#,sql,syntax-error,C#,Sql,Syntax Error,我可以问一下为什么在ID附近会弹出一条带有错误的弹出消息吗?我找不到解决方法。单击按钮后,它会弹出此消息 消息:“ID”附近的语法不正确 您的SQL查询错误: _sql = "INSERT INTO do_information(die_class_code,subinvetory_code,contact_code,company_code, " + "corg_code,created_on,created_by) " +
您的SQL查询错误:
_sql = "INSERT INTO do_information(die_class_code,subinvetory_code,contact_code,company_code, " +
"corg_code,created_on,created_by) " +
"VALUES ('" + txt_CodeID.Text.Trim() + "','" + cbx_SubInventoryCode.Text + "'," +
"'" + cbx_ContactCode.Text + "','" + cbx_CompanyCode.Text + "','" + cbx_CorgCode.Text + "','" +
"',GETDATE(),'" + App_Common._USER_CODE + "')";
您的值必须放在括号内。看看这个:
您的SQL查询错误:
_sql = "INSERT INTO do_information(die_class_code,subinvetory_code,contact_code,company_code, " +
"corg_code,created_on,created_by) " +
"VALUES ('" + txt_CodeID.Text.Trim() + "','" + cbx_SubInventoryCode.Text + "'," +
"'" + cbx_ContactCode.Text + "','" + cbx_CompanyCode.Text + "','" + cbx_CorgCode.Text + "','" +
"',GETDATE(),'" + App_Common._USER_CODE + "')";
您的值必须放在括号内。看看这个:
尝试使用此查询:
正如@Peter B所评论的,您没有使用括号表示值V1和v2。
请看一下SQL insert语句的参考
使用参数化查询总是比使用串联字符串更好,因为它容易受到SQL注入攻击。
是使用参数化查询的参考
希望这有帮助 尝试使用此查询:
正如@Peter B所评论的,您没有使用括号表示值V1和v2。
请看一下SQL insert语句的参考
使用参数化查询总是比使用串联字符串更好,因为它容易受到SQL注入攻击。
是使用参数化查询的参考
希望这有帮助 您的SQL语句错误,因为缺少值的括号 代码非常混乱,很难一目了然。因此,您最好使用参数,使语句更清晰,便于阅读和检查语法错误: 在do_信息中插入 模具类别代码、子库存代码、联系人代码、公司代码、公司代码、公司代码、创建人、创建人 价值观 @代码ID、@SubInventoryCode、@ContactCode、@CompanyCode、@CorgCode、GETDATE、@UserCode 但您甚至可以做更多的工作来清理代码。包装所有查询。以下是您的陈述示例: 从一些可重用的基本声明开始
public interface IExecuteQuery
{
int Execute();
Task<int> ExecuteAsync( CancellationToken cancellationToken );
}
public abstract class SqlExecuteQuery : IExecuteQuery
{
private readonly DbConnection _connection;
private readonly Lazy<DbCommand> _command;
protected SqlExecuteQuery( DbConnection connection )
{
if ( connection == null )
throw new ArgumentNullException( nameof( connection ) );
_connection = connection;
_command = new Lazy<DbCommand>(
() =>
{
var command = _connection.CreateCommand( );
PrepareCommand( command );
return command;
} );
}
protected abstract void PrepareCommand( DbCommand command );
protected DbCommand Command => _command.Value;
protected virtual string GetParameterNameFromPropertyName( string propertyName )
{
return "@" + propertyName;
}
protected T GetParameterValue<T>( [CallerMemberName] string propertyName = null )
{
object value = Command.Parameters[ GetParameterNameFromPropertyName( propertyName ) ].Value;
if ( value == DBNull.Value )
{
value = null;
}
return (T) value;
}
protected void SetParamaterValue<T>( T newValue, [CallerMemberName] string propertyName = null )
{
object value = newValue;
if ( value == null )
{
value = DBNull.Value;
}
Command.Parameters[ GetParameterNameFromPropertyName( propertyName ) ].Value = value;
}
protected virtual void OnBeforeExecute() { }
public int Execute()
{
OnBeforeExecute( );
return Command.ExecuteNonQuery( );
}
public async Task<int> ExecuteAsync( CancellationToken cancellationToken )
{
OnBeforeExecute( );
return await Command.ExecuteNonQueryAsync( cancellationToken );
}
}
public static class DbCommandExtensions
{
public static DbParameter AddParameter( this DbCommand command, Action<DbParameter> configureAction )
{
var parameter = command.CreateParameter( );
configureAction( parameter );
command.Parameters.Add( parameter );
return parameter;
}
}
实施
public class SqlInsertInformationQuery : SqlExecuteQuery, IInsertInformationQuery
{
public SqlInsertInformationQuery( DbConnection connection ) : base( connection )
{
}
protected override void OnBeforeExecute()
{
UserCode = App_Common._USER_CODE; // this should be injected
}
protected override void PrepareCommand( DbCommand command )
{
command.CommandText =
@"INSERT INTO do_information ( die_class_code, subinventory_code, contact_code, company_code, corg_code, created_on, created_by ) " +
@"VALUES ( @CodeId, @SubInventoryCode, @ContactCode, @CompanyCode, @CorgCode, GETDATE(), @UserCode )";
command.AddParameter( p =>
{
p.ParameterName = "@CodeId";
p.DbType = System.Data.DbType.String;
p.Direction = System.Data.ParameterDirection.Input;
} );
command.AddParameter( p =>
{
p.ParameterName = "@SubInventoryCode";
p.DbType = System.Data.DbType.String;
p.Direction = System.Data.ParameterDirection.Input;
} );
command.AddParameter( p =>
{
p.ParameterName = "@ContactCode";
p.DbType = System.Data.DbType.String;
p.Direction = System.Data.ParameterDirection.Input;
} );
command.AddParameter( p =>
{
p.ParameterName = "@CompanyCode";
p.DbType = System.Data.DbType.String;
p.Direction = System.Data.ParameterDirection.Input;
} );
command.AddParameter( p =>
{
p.ParameterName = "@CorgCode";
p.DbType = System.Data.DbType.String;
p.Direction = System.Data.ParameterDirection.Input;
} );
command.AddParameter( p =>
{
p.ParameterName = "@UserCode";
p.DbType = System.Data.DbType.String;
p.Direction = System.Data.ParameterDirection.Input;
} );
}
public string CodeId
{
get => GetParameterValue<string>( );
set => SetParamaterValue( value );
}
public string SubInventoryCode
{
get => GetParameterValue<string>( );
set => SetParamaterValue( value );
}
public string ContactCode
{
get => GetParameterValue<string>( );
set => SetParamaterValue( value );
}
public string CompanyCode
{
get => GetParameterValue<string>( );
set => SetParamaterValue( value );
}
public string CorgCode
{
get => GetParameterValue<string>( );
set => SetParamaterValue( value );
}
public string UserCode
{
get => GetParameterValue<string>( );
private set => SetParamaterValue( value );
}
}
SQL语句错误,因为缺少值的括号 代码非常混乱,很难一目了然。因此,您最好使用参数,使语句更清晰,便于阅读和检查语法错误: 在do_信息中插入 模具类别代码、子库存代码、联系人代码、公司代码、公司代码、公司代码、创建人、创建人 价值观 @代码ID、@SubInventoryCode、@ContactCode、@CompanyCode、@CorgCode、GETDATE、@UserCode 但您甚至可以做更多的工作来清理代码。包装所有查询。以下是您的陈述示例: 从一些可重用的基本声明开始
public interface IExecuteQuery
{
int Execute();
Task<int> ExecuteAsync( CancellationToken cancellationToken );
}
public abstract class SqlExecuteQuery : IExecuteQuery
{
private readonly DbConnection _connection;
private readonly Lazy<DbCommand> _command;
protected SqlExecuteQuery( DbConnection connection )
{
if ( connection == null )
throw new ArgumentNullException( nameof( connection ) );
_connection = connection;
_command = new Lazy<DbCommand>(
() =>
{
var command = _connection.CreateCommand( );
PrepareCommand( command );
return command;
} );
}
protected abstract void PrepareCommand( DbCommand command );
protected DbCommand Command => _command.Value;
protected virtual string GetParameterNameFromPropertyName( string propertyName )
{
return "@" + propertyName;
}
protected T GetParameterValue<T>( [CallerMemberName] string propertyName = null )
{
object value = Command.Parameters[ GetParameterNameFromPropertyName( propertyName ) ].Value;
if ( value == DBNull.Value )
{
value = null;
}
return (T) value;
}
protected void SetParamaterValue<T>( T newValue, [CallerMemberName] string propertyName = null )
{
object value = newValue;
if ( value == null )
{
value = DBNull.Value;
}
Command.Parameters[ GetParameterNameFromPropertyName( propertyName ) ].Value = value;
}
protected virtual void OnBeforeExecute() { }
public int Execute()
{
OnBeforeExecute( );
return Command.ExecuteNonQuery( );
}
public async Task<int> ExecuteAsync( CancellationToken cancellationToken )
{
OnBeforeExecute( );
return await Command.ExecuteNonQueryAsync( cancellationToken );
}
}
public static class DbCommandExtensions
{
public static DbParameter AddParameter( this DbCommand command, Action<DbParameter> configureAction )
{
var parameter = command.CreateParameter( );
configureAction( parameter );
command.Parameters.Add( parameter );
return parameter;
}
}
实施
public class SqlInsertInformationQuery : SqlExecuteQuery, IInsertInformationQuery
{
public SqlInsertInformationQuery( DbConnection connection ) : base( connection )
{
}
protected override void OnBeforeExecute()
{
UserCode = App_Common._USER_CODE; // this should be injected
}
protected override void PrepareCommand( DbCommand command )
{
command.CommandText =
@"INSERT INTO do_information ( die_class_code, subinventory_code, contact_code, company_code, corg_code, created_on, created_by ) " +
@"VALUES ( @CodeId, @SubInventoryCode, @ContactCode, @CompanyCode, @CorgCode, GETDATE(), @UserCode )";
command.AddParameter( p =>
{
p.ParameterName = "@CodeId";
p.DbType = System.Data.DbType.String;
p.Direction = System.Data.ParameterDirection.Input;
} );
command.AddParameter( p =>
{
p.ParameterName = "@SubInventoryCode";
p.DbType = System.Data.DbType.String;
p.Direction = System.Data.ParameterDirection.Input;
} );
command.AddParameter( p =>
{
p.ParameterName = "@ContactCode";
p.DbType = System.Data.DbType.String;
p.Direction = System.Data.ParameterDirection.Input;
} );
command.AddParameter( p =>
{
p.ParameterName = "@CompanyCode";
p.DbType = System.Data.DbType.String;
p.Direction = System.Data.ParameterDirection.Input;
} );
command.AddParameter( p =>
{
p.ParameterName = "@CorgCode";
p.DbType = System.Data.DbType.String;
p.Direction = System.Data.ParameterDirection.Input;
} );
command.AddParameter( p =>
{
p.ParameterName = "@UserCode";
p.DbType = System.Data.DbType.String;
p.Direction = System.Data.ParameterDirection.Input;
} );
}
public string CodeId
{
get => GetParameterValue<string>( );
set => SetParamaterValue( value );
}
public string SubInventoryCode
{
get => GetParameterValue<string>( );
set => SetParamaterValue( value );
}
public string ContactCode
{
get => GetParameterValue<string>( );
set => SetParamaterValue( value );
}
public string CompanyCode
{
get => GetParameterValue<string>( );
set => SetParamaterValue( value );
}
public string CorgCode
{
get => GetParameterValue<string>( );
set => SetParamaterValue( value );
}
public string UserCode
{
get => GetParameterValue<string>( );
private set => SetParamaterValue( value );
}
}
您需要使用值v1、v2、…-因此,对于方括号,您应该真正使用参数化查询,而不是将值连接到查询字符串中。您当前的解决方案容易受到SQL注入的攻击,而且安全性做法很差。一些OT备注:a您不需要像已经创建的那样使用SqlDatabase;b您不需要_ds=新数据集;因为您将在ExecuteDataSetQ调用中覆盖该空数据集;c您似乎不使用这个_ds,也不需要它来进行插入,是否有一个简单的执行方法可以使用?使用参数将带来更可读的语句。使用这个字符串concat-mess,您将看不到树,因为forest:oa和关于标记,这不是一个C语法错误。我添加了SQL。您需要使用值v1、v2、…-因此,对于方括号,您应该真正使用参数化查询,而不是将值连接到查询字符串中。您当前的解决方案容易受到SQL注入的攻击,而且安全性做法很差。一些OT备注:a您不需要像已经创建的那样使用SqlDatabase;b您不需要_ds=新数据集;因为您将在ExecuteDataSetQ调用中覆盖该空数据集;c您似乎不使用这个_ds,也不需要它来进行插入,是否有一个简单的执行方法可以使用?使用参数将带来更可读的语句。使用这个字符串concat-mess,您将看不到树,因为forest:oa和关于标记,这不是一个C语法错误。我添加了SQL。
public override bool fnSaveNewRecord()
{
var database = new SqlDatabase(App_Common._WSFCSConnStr);
using ( var connection = database.CreateConnection() )
{
connection.Open();
IInsertInformationQuery query = new SqlInserInformationQuery( connection );
query.CodeId = txt_CodeID.Text.Trim();
query.SubInventoryCode = cbx_SubInventoryCode.Text;
query.ContactCode = cbx_ContactCode.Text;
query.CompanyCode = cbx_CompanyCode.Text;
query.CorgCode = cbx_CorgCode.Text;
var recordsAffected = query.Execute();
}
return base.fnSaveNewRecord();
}