参数化SQL查询语法不正确_Sql_Powershell_Prepared Statement

参数化SQL查询语法不正确

sql powershell

参数化SQL查询语法不正确,sql,powershell,prepared-statement,Sql,Powershell,Prepared Statement,我理解参数化SQL查询的方式是避免转义字符错误的方式。但我仍然遇到这个问题 try { Import-Module ActiveDirectory $abc = Get-ADUser -ResultSetSize 9998 -Properties employeeid,samaccountname,Department,physicalDeliveryOfficeName,mail,useraccountcontrol,telephonenumber,cn,title,mobi

我理解参数化SQL查询的方式是避免转义字符错误的方式。但我仍然遇到这个问题

try {
    Import-Module ActiveDirectory

    $abc = Get-ADUser -ResultSetSize 9998 -Properties employeeid,samaccountname,Department,physicalDeliveryOfficeName,mail,useraccountcontrol,telephonenumber,cn,title,mobile,company,description,manager

    $connection = New-Object System.Data.SqlClient.SqlConnection
    $connection.ConnectionString = "server=server.local;database=db;trusted_connection=true;"
    $connection.Open()

    $command = New-Object System.Data.SQLClient.SQLCommand
    $command.Connection = $connection

    #$command.Parameters.Add((New-Object Data.SqlClient.SqlParameter("@department",[Data.SQLDBType]::VarChar, 250)))
    #$command.Parameters.Add((New-Object Data.SqlClient.SqlParameter("@physicalDeliveryOfficeName",[Data.SQLDBType]::VarChar, 200)))

    foreach ($user in $abc) {
        $command.Parameters.Add((New-Object Data.SqlClient.SqlParameter("@physicalDeliveryOfficeName",[Data.SQLDBType]::VarChar, 200))).value = $user.physicalDeliveryOfficeName
        $command.Parameters.Add((New-Object Data.SqlClient.SqlParameter("@department",[Data.SQLDBType]::VarChar, 250))).value = $user.Department
        #$command.Parameters['@department'].value = $user.Department
        #$command.Parameters['@physicalDeliveryOfficeName'].value = $user.physicalDeliveryOfficeName

        #if (!$user.department)                 { $Command.Parameters['@department'].value = [System.DBNull]::Value  }
        #if (!$user.physicalDeliveryOfficeName) { $Command.Parameters['@physicalDeliveryOfficeName'].value = [System.DBNull]::Value  }

        $insert = "INSERT INTO [Database].[ad].[UserAccountsT] (employeeid,samaccountname,distinguishedName,givenname,sn,title,department,physicaldeliveryofficename,email,telephoneNumber,mobile,company,description,useraccountcontrol,cn,manager) VALUES('{0}','{1}','{2}','{3}','{4}','{5}','{6}','{7}','{8}','{9}','{10}','{11}','{12}','{13}','{14}','{15}')" -f $user.employeeid,$user.samaccountname,$user.DistinguishedName,$user.GivenName,$user.Surname,$user.title,$user.Department,$user.physicalDeliveryOfficeName,$user.mail,$user.telephonenumber,$user.mobile,$user.company,$user.description,$user.userAccountControl,$user.cn,$user.manager
        $command.CommandText = $insert
        $command.ExecuteNonQuery() > $null
        $command.Parameters.Clear()
    }
} catch {
    Write-Host Everything goes wrong at $_ for $user at $user.physicalDeliveryOfficeName $user.Department !!!
} finally {
    $connection.Close()
}

但是当名称中有

“

时，我仍然会得到一个错误：

使用“0”参数调用“ExecuteOnQuery”时出现异常：“s”附近的语法不正确”

$user.physicalDeliveryOfficeName

值为“Park’s avonds”。

您根本没有使用准备好的语句（参数化查询）。使用format运算符将字符串插入字符串模板与通过串联生成语句没有什么不同

您的代码应该有点像这样：

$command = New-Object Data.SQLClient.SQLCommand
$command.Connection = $connection
$command.CommandText = 'INSERT INTO [table] (field1, field2) VALUES (@foo, @bar)'

foreach ($user in $abc) {
    $command.Parameters.Add((New-Object Data.SqlClient.SqlParameter('@foo', [Data.SQLDBType]::VarChar, 200))).Value = $user.physicalDeliveryOfficeName
    $command.Parameters.Add((New-Object Data.SqlClient.SqlParameter('@bar', [Data.SQLDBType]::VarChar, 250))).Value = $user.Department

    $command.Prepare()
    $command.ExecuteNonQuery() | Out-Null
    $command.Parameters.Clear()
}

作为旁注：将尽可能多的参数塞进一条语句会使代码更难阅读和调试。我强烈建议您抵制这种诱惑。答案还不够，但您没有正确使用参数。您将参数添加到命令中，然后使用格式字符串将字符串文字插入

$insert

。您应该执行类似于

插入（字段）值（@field\u param）

的操作。