“'附近的语法不正确 [英] Incorrect syntax near ' '

问题描述

嘿伙计们，

我有一个非常长的SQL语句，它根据用户设置的过滤器值在代码中创建。

Unforuntatelly SQL语句是当异常达成时我没有记录，现在我唯一可以坚持的是来自System.Data.SqlClient.SqlException的错误消息：'''附近的语法不正确。

我知道这很模糊，但是你们中的某个人可能知道如何检查这个异常。

空白时出错......呵呵，很好玩SQL，我不知道：P



谢谢，Markus

解决方案

如果没有生成它的SQL，我们甚至无法开始确定解决方案。

但是......错误信息表明你正在连接字符串以形成一个SQL语句，这也解释了为什么你不能向我们展示它。



不要。永远不要连接字符串来构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度，这可能会破坏您的整个数据库。使用参数化查询 - 它将提高您的代码可靠性，可读性和安全性，同时可能同时解决您的问题。

您可以在sql中引用此链接以获取转义序列单引号。这是你面临的问题。



http://stackoverflow.com/questions/1586560/how-do-i-escape-a-single-quote-in-sqlserver [ ^ ]

Hey guys,
I'm having a very long SQL statement which gets created in code depending on the filter values the user sets.
Unforuntatelly the SQL statement was not logged when the exception accured and now my only thing I can hold on is the error message from System.Data.SqlClient.SqlException: " Incorrect syntax near ' ' ".
I know this is very vague, but probably someone of you has an idea what to check on this exception.
"Error at blank"... Hehe, nice played SQL, I have no idea :P

Thanks, Markus

解决方案

Without the SQL that generated it, we can't even begin to be definitive about a solution.
But...the error message would indicate that you are concatenating strings to form an SQL statement, which would also explain why you can't show it to us.

Don't. Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead - it will improve your code reliability, readability, and safety, as well as probably curing your problem at the same time.

You can refer this link for escape sequence in sql for single quotes. This is the problem you are facing.

http://stackoverflow.com/questions/1586560/how-do-i-escape-a-single-quote-in-sqlserver[^]

这篇关于“'附近的语法不正确的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！