SqlException(0x80131904):'('附近的语法不正确。 [英] SqlException (0x80131904): Incorrect syntax near '('.
问题描述
SqlException(0x80131904):''附近的语法不正确(''。
SqlException (0x80131904): Incorrect syntax near ''(''.
string s11 = "update SessionItem(ItemName,Quantity,Price,Date,Month) set ItemName='" + TextBox7.Text + "',Quantity='" + nb + "',Price='" + TextBox9.Text + "',Date='" + dt1 + "',Month='" + month1 + "' where ItemName='" + TextBox7.Text + "' ";
SqlCommand cmdh = new SqlCommand(s11, DbConnection.mCon);
cmdh.ExecuteNonQuery();
推荐答案
UPDATE命令的格式与INSERT不同:
The format of an UPDATE command is not the same as an INSERT:
UPDATE <table_name> SET <field>=<new value>,<field... WHERE ...
话虽如此,不要连接字符串来构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度,这可能会破坏您的整个数据库。改为使用参数化查询。
忘记编码HTML,grr。 - OriginalGriff [/ edit]
先生请参阅参数化查询示例
Having said that, do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
[edit]Forgot to encode HTML, grr. - OriginalGriff[/edit]
"sir pls show an example for parameterized queries"
using (SqlConnection con = new SqlConnection(strConnect))
{
con.Open();
using (SqlCommand com = new SqlCommand("UPDATE myTable SET myColumn1=@C1, myColumn2=@C2 WHERE Id=@ID", con))
{
com.Parameters.AddWithValue("@ID", id);
com.Parameters.AddWithValue("@C1", myValueForColumn1);
com.Parameters.AddWithValue("@C2", myValueForColumn2);
com.ExecuteNonQuery();
}
}
string s11 = "update SessionItem set ItemName='" + TextBox7.Text + "',Quantity='" + nb + "',Price='" + TextBox9.Text + "',Date='" + dt1 + "',Month='" + month1 + "' where ItemName='" + TextBox7.Text + "' ";
SqlCommand cmdh = new SqlCommand(s11, DbConnection.mCon);
cmdh.ExecuteNonQuery();
注意:为了获得更好的性能和安全性,请使用参数化查询。
谢谢
Note: For better performance and security make a good habbit to use parameterized query.
Thanks
这篇关于SqlException(0x80131904):'('附近的语法不正确。的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
