带有关键字的语法不正确 [英] Incorrect Syntax with keyword with
本文介绍了带有关键字的语法不正确的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我需要帮助......
当我在评论文本框中输入几句话但我输入长句和更多单词时,我没有错误更新或插入我得到以下错误:
关键字'with'附近的语法不正确。如果此语句是公用表表达式,xmlnamespaces子句或更改跟踪上下文子句,则必须使用分号终止先前的语句。
这是我的Sql字符串:
更新集IDNo =' + IDNOTextBox。文本 + ',Comments =' + CommentsTextBox。 Text + '其中Idno喜欢' + TextBox1。文字 + %'
i will感谢它,如果我得到答案.....提前感谢
解决方案
恭喜 - 你刚刚介绍了一个严重的安全漏洞 [ ^ ]到您的代码中! :doh:
参数化查询并不困难。他们将修复此安全漏洞。他们很可能会修复你所看到的错误。
Dim connectionString As String = ConfigurationManager.ConnectionStrings( YourConnectionStringName)。ConnectionString
Dim commandText 作为 字符串 = UPDATE YourTableName SET IDNo = @IDNo,Comments = @Comments WHERE IDNo Like @OriginalIDNo +'%'
使用 connection As 新 SqlConnection(connectionString)
使用命令作为 新 SqlCommand(c ommandText,connection)
command.CommandType = CommandType.Text
command.Parameters.AddWithValue( @ IDNo,IDNoTextBox.Text)
command.Parameters.AddWithValue( @Comments,CommentsTextBox.Text);
command.Parameters.AddWithValue( @ OriginalIDNo,TextBox1.Text);
connection.Open()
command.ExecuteNonQuery()
结束 使用
结束 使用
您的整个问题是您没有在SQL代码中使用参数化查询。
Google for sql注入攻击 [ ^ ]和 C#SQL参数化查询 [ ^ ]了解你做错了什么,为什么它如此糟糕,存在巨大的安全风险,以及如何处理它。
另外,你不能在非stri上使用LIKE运算符ng字段,就像您的IDNO字段一样。它可能是数字,这就是你得到错误的原因。
Please i need help...
I get NO errors when i type few sentences in the CommentsTextbox but when i type long sentences and more words and i try to Update or Insert i get the errors below:
Incorrect syntax near the keyword 'with'. If this statement is a common table expression, an xmlnamespaces clause or a change tracking context clause, the previous statement must be terminated with a Semicolon.
this is my Sql String:
"update set IDNo='" + IDNOTextBox.Text + "',Comments='" + CommentsTextBox.Text + "' where Idno like '" + TextBox1.Text + "%'"
i will appreciate it if i a get an answer.....thanks in advance
解决方案
Congratulations - you've just introduced a serious security vulnerability[^] into your code! :doh:
Parameterized queries aren't difficult. They will fix this security vulnerability. And they will most likely fix the error you're seeing as well.
Dim connectionString As String = ConfigurationManager.ConnectionStrings("YourConnectionStringName").ConnectionString Dim commandText As String = "UPDATE YourTableName SET IDNo = @IDNo, Comments = @Comments WHERE IDNo Like @OriginalIDNo + '%'" Using connection As New SqlConnection(connectionString) Using command As New SqlCommand(commandText, connection) command.CommandType = CommandType.Text command.Parameters.AddWithValue("@IDNo", IDNoTextBox.Text) command.Parameters.AddWithValue("@Comments", CommentsTextBox.Text); command.Parameters.AddWithValue("@OriginalIDNo", TextBox1.Text); connection.Open() command.ExecuteNonQuery() End Using End Using
Your entire problem is that you're not using parameterized queries in your SQL code.
Google for "sql injection attack[^]" and "C# SQL Parameterized Queries[^]" for information on what you're doing wrong, why it's so bad and a huge security risk, and what to do about it.
Also, you can NOT use the LIKE operator on non-string fields, like your IDNO field. It's probably numeric which is why you're getting the error.
这篇关于带有关键字的语法不正确的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
