SQL语句问题 [英] SQL statement problem
本文介绍了SQL语句问题的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
cmd.CommandText =
@"INSERT INTO SSS_Contribution
VALUES (
EmpID = " + txtEmployeeID.Text + @" ,
LastName = '" + txtEmployeeLastName.Text + @"',
FirstName = '" + txtEmployeeFirstName.Text + @"',
MiddleName = '" + txtEmployeeMiddleName.Text + @"',
SSS = '" + txtSSSNo.Text + @"',
Client = '" + txtClient.Text + @"',
DeptCoor = '" + txtCoordinator.Text + @"',
FirstERShare = '0.00',
FirstEEShare = '0.00',
FirstTotal = '0.00',
SecondERShare = " + y.ToString() + @",
SecondEEShare = " + txtSSS.Text + @",
SecondTotal = (" + txtSSS.Text + " + " + y.ToString() + @"),
TotalERShare = (" + y.ToString() + @"),
TotalEEShare = (" + txtSSS.Text + @"),
TotalContribution = (" + txtSSS.Text + " + " + y.ToString() + @")
)";
我的sql语句有什么问题?它一直有这个错误
Whats wrong in my sql statement? It keeps having this error
Incorrect syntax near '='.
我尝试多次调试。谢谢亲切的先生:)
I tried debugging it many times. Thank you kind sirs :)
推荐答案
从一开始你的方法就错了。您永远不应该通过连接从UI获取的字符串来创建查询。相反,您需要使用参数化语句。请参阅: http://msdn.microsoft.com/en-us/library/ff648339.aspx [ ^ ]。
如果你这样做,你的应用程序完全容易受到众所周知的漏洞的攻击: SQL注入。用户可以在UI中编写任何内容,包括一些SQL片段。你明白了吗?具体方法如下: http://xkcd.com/327 [ ^ ]。
请查看我过去的答案:
EROR IN com.ExecuteNonQuery(); [ ^ ],
名称未显示在名称中? [ ^ ]。
-SA
Your approach is wrong from the very beginning. You should never create a query by concatenation of string taken from your UI. Instead, you need to use parametrized statements. Please see: http://msdn.microsoft.com/en-us/library/ff648339.aspx[^].
If you do it your way, you make your application totally vulnerable to a well-known exploit: SQL Injection. The user can write anything in the UI, including some SQL fragment. Are you getting the idea? This is how: http://xkcd.com/327[^].
Please see my past answers:
EROR IN UPATE in com.ExecuteNonQuery();[^],
hi name is not displaying in name?[^].
—SA
您的INSERT查询语法错误。语法是
Your INSERT query syntax is wrong. The syntax is
INSERT INTO <table_name> [(<ColumnName1, ColumnName2, ... ColumnNameN>)] VALUES (Data1, Data2... DataN);
除此之外,您还需要使用Sergey所解释的参数化SQL。
Apart from that you need to use Parameterized SQL as explained by Sergey.
cmd.CommandText = "INSERT INTO SSS_Contribution VALUES (" + txtEmployeeID.Text + " ,'" + txtEmployeeLastName.Text + "','" + txtEmployeeFirstName.Text + "','" + txtEmployeeMiddleName.Text + "', '" + txtSSSNo.Text + "', '" + txtClient.Text + "','" + txtCoordinator.Text + "', '0.00', '0.00', '0.00', " + y.ToString() + ", " + txtSSS.Text + ",(" + txtSSS.Text + " + " + y.ToString() + "), (" + y.ToString() +"), (" + txtSSS.Text + "), (" + txtSSS.Text + " + " + y.ToString() + "))";
*存储连接部分(我标记 - 带下划线:字符串和插入)
* store concatenated section (i marked - underlined : to string and insert )
这篇关于SQL语句问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
