我正在使用访问数据库,我正在开发更新代码。它给出了类似“UPDATE语句中的语法错误”的错误。 。所以请帮我解决这个错误。 [英] I am using access database and I am developing update code. It gives me error like "Syntax error in UPDATE statement." . So please help me for this error.
本文介绍了我正在使用访问数据库,我正在开发更新代码。它给出了类似“UPDATE语句中的语法错误”的错误。 。所以请帮我解决这个错误。的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
UPDATE语句中的语法错误: -
Syntax error in UPDATE statement:-
public int UpdateClientInfo(ClientMaster currentSelectedItem)
{
string strQuery = "UPDATE ClientMaster SET " +
"SubgroupName = '" + currentSelectedItem.Subgroup_Name + "' , " +
"FirstName = '" + currentSelectedItem.FirstName + "' , " +
"FirstAge = '" + currentSelectedItem.FirstAge + "' , " +
"FirstPAN = '" + currentSelectedItem.FirstPAN + "' , " +
"FatherHusbandName = '" + currentSelectedItem.Father_husbandName + "' , " +
"Address1 = '" + currentSelectedItem.Address1 + "' , " +
"Area = '" + currentSelectedItem.Area + "' , " +
"City = '" + currentSelectedItem.City + "' , " +
"Pincode = '" + currentSelectedItem.Pincode + "' , " +
"Mobile = '" + currentSelectedItem.Mobile + "' , " +
"DPName = '" + currentSelectedItem.DP_Name + "' , " +
"DematNo = '" + currentSelectedItem.Demat_No + "' , " +
"BankName = '" + currentSelectedItem.BankName + "' , " +
"BranchName = '" + currentSelectedItem.BranchName + "' , " +
"WHERE Id = " + currentSelectedItem.Client_Id;
return oConnectionClass.ExecuteNonQuery(strQuery);
}
推荐答案
永远不要通过连接从用户输入获得的字符串来构造SQL语句。这使您的代码对SQL注入攻击开放。
更好的用户参数化查询。
类似于:
Never, ever construct a SQL statement by concatenating strings obtained from user inputs. This leaves your code wide open to SQL injection attacks.
Better user parameterized queries instead.
Something like:
string query = "UPDATE ClientMaster SET SubGroupName = @subGroupName, FirstName = @firstName, FirstAge = @firstAge, FirstPAN = @firstPAN, FatherHusbandName = @fatherHusbandName, Address1 = @address1, Area = @area, City = @city, PinCode = @pinCode, Mobile = @mobile, DPName = @dpName, DematNo = @dematNo, BankName = @bankName, BranchName = @branchName WHERE Id = @id";
using (SqlConnection connection = /* construct your connection here */)
using (SqlCommand command = new SqlCommand(query, connection))
{
connection.Open();
command.Parameters.AddWithValue("@subGroupName", currentSelectedItem.Subgroup_Name);
command.Parameters.AddWithValue(/* etc. */);
// ...
return command.ExecuteNonQuery();
}
更改
Change
"BranchName = '" + currentSelectedItem.BranchName + "' , " +
"WHERE Id = " + currentSelectedItem.Client_Id;
to
to
"BranchName = '" + currentSelectedItem.BranchName + "' " +
"WHERE Id = " + currentSelectedItem.Client_Id;
但是你也会得到如果您的任何文本字段中包含撇号,则会出现此错误。而且代码也让你对sql注入攻击开放。请改用参数化查询(google示例)。
However you'll also get this error if any of your text fields have an apostrophe in them. And the code also leaves you open to sql injection attacks. Use parameterised queries instead (google for examples).
这篇关于我正在使用访问数据库,我正在开发更新代码。它给出了类似“UPDATE语句中的语法错误”的错误。 。所以请帮我解决这个错误。的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
