我在'='附近有不正确的语法. [英] I have a Incorrect syntax near '='.
本文介绍了我在'='附近有不正确的语法.的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我正在从事这个项目,当我在浏览器中查看时,出现此错误:
''=''附近的语法不正确.
错误如下:
I am working on this project and when I go to view in browser I get this error:
Incorrect syntax near ''=''.
Here is the error:
Server Error in '/' Application.
Incorrect syntax near '='.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Data.SqlClient.SqlException: Incorrect syntax near '='.
Source Error:
Line 34: SqlCommand scmd2 = new SqlCommand("Select INST_ID, INSTRUCTIO, RESEARCH, PUBLIC_SER, ACADEMIC_S, STUDENT_SE, INSTITUTIO, PHYSICAL_P, SCHOLARSHI, AUXILIARY_, HOSPITALS, INDEPENDEN, OTHEREXP, TOTASSETS, TOTLIABILITY, NoNEXPPERMRESASSETS, UNRNETASSETS, TOTALREV, TUITFEES, CURRDEBT, LONGTERMDEBT from TableFIN2012 where INST_ID = " + TextBoxSchool.Text.ToString(), con2);
Line 35: SqlDataReader dr = scmd.ExecuteReader();
Line 36: SqlDataReader dr2 = scmd2.ExecuteReader();
Line 37:
Line 38: if (dr.Read())
这是代码:
Here is the code:
using System;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Xml.Linq;
using System.Data;
using System.Data.SqlClient;
using System.Drawing;
using System.Text;
using System.Collections;
using System.Collections.Generic;
using System.Linq;
using System.Configuration;
using System.Drawing.Printing;
public partial class FinancialProfileFormA : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
ButtonPrint.Attributes.Add("onclick", "window.print(); return false");
SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["PasswordConnectionString"].ConnectionString);
con.Open();
SqlConnection con2 = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["PasswordConnectionString"].ConnectionString);
con2.Open();
SqlCommand scmd = new SqlCommand("Select INST_ID,LongName from TableCOCINST where INST_ID = LongName" + TextBoxSchool.Text.ToString(), con);
SqlCommand scmd2 = new SqlCommand("Select INST_ID, INSTRUCTIO, RESEARCH, PUBLIC_SER, ACADEMIC_S, STUDENT_SE, INSTITUTIO, PHYSICAL_P, SCHOLARSHI, AUXILIARY_, HOSPITALS, INDEPENDEN, OTHEREXP, TOTASSETS, TOTLIABILITY, NoNEXPPERMRESASSETS, UNRNETASSETS, TOTALREV, TUITFEES, CURRDEBT, LONGTERMDEBT from TableFIN2012 where INST_ID = " + TextBoxSchool.Text.ToString(), con2);
SqlDataReader dr = scmd.ExecuteReader();
SqlDataReader dr2 = scmd2.ExecuteReader();
if (dr.Read())
if (dr2.Read())
{
TextBoxSchool.Text = dr["LongName"].ToString();
TextBoxLYInstr.Text = dr2["INSTRUCTIO"].ToString();
TextBoxLYRes.Text = dr2["RESEARCH"].ToString();
TextBoxLYPubS.Text = dr2["PUBLIC_SER"].ToString();
TextBoxLYAcad.Text = dr2["ACADEMIC_S"].ToString();
TextBoxLYStudS.Text = dr2["STUDENT_SE"].ToString();
TextBoxLYInstiS.Text = dr2["INSTITUTIO"].ToString();
TextBoxLYOperM.Text = dr2["PHYSICAL_P"].ToString();
TextBoxLYSFEDA.Text = dr2["SCHOLARSHI"].ToString();
TextBoxLYAuxE.Text = dr2["AUXILIARY_"].ToString();
TextBoxLYHosS.Text = dr2["HOSPITALS"].ToString();
TextBoxLYIndeO.Text = dr2["INDEPENDEN"].ToString();
TextBoxLYOED.Text = dr2["OTHEREXP"].ToString();
TextBoxLYTA.Text = dr2["TOTASSETS"].ToString();
TextBoxLYTL.Text = dr2["TOTLIABILITY"].ToString();
TextBoxLYNPRNA.Text = dr2["NoNEXPPERMRESASSETS"].ToString();
TextBoxLYTUNA.Text = dr2["UNRNETASSETS"].ToString();
TextBoxLYTR.Text = dr2["TOTALREV"].ToString();
TextBoxLYTFN.Text = dr2["TUITFEES"].ToString();
TextBoxLYCD.Text = dr2["CURRDEBT"].ToString();
TextBoxLYLTD.Text = dr2["LONGTERMDEBT"].ToString();
TextBoxINST_ID.Text = dr["INST_ID"].ToString();
}
dr.Close();
con.Close();
dr2.Close();
con2.Close();
}
protected void ButtonSubmit_Click(object sender, EventArgs e)
{
SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["PasswordConnectionString"].ConnectionString);
con.Open();
SqlCommand cmd = new SqlCommand("Insert into TableFIN2013 (INST_ID, TOTAL_REVE, INSTRUCTIO, RESEARCH, PUBLIC_SER, ACADEMIC_S, STUDENT_SE, INSTITUTIO, PHYSICAL_P, SCHOLARSHI, AUXILIARY_, HOSPITALS, INDEPENDEN, OTHEREXP, TOTASSETS, TOTLIABILITY, NoNEXPPERMRESASSETS, EXPENDABLE, UNRNETASSETS, TOTALREV, TUITFEES, CURRDEBT, LONGTERMDEBT) values (@INST_ID, @TOTAL_REVE, @INSTRUCTIO, @RESEARCH, @PUBLIC_SER, @ACADEMIC_S, @STUDENT_SE, @INSTITUTIO, @PHYSICAL_P, @SCHOLARSHI, @AUXILIARY_, @HOSPITALS, @INDEPENDEN, @OTHEREXP, @TOTASSETS, @TOTLIABILITY, @NoNEXPPERMRESASSETS, @EXPENDABLE, @UNRNETASSETS, @TOTALREV, @TUITFEES, @CURRDEBT, @LONGTERMDEBT)", con);
con.Open();
cmd.CommandType = CommandType.Text;
cmd.Parameters.AddWithValue("@INST_ID", TextBoxINST_ID.Text);
cmd.Parameters.AddWithValue("@TOTAL_REVE", TextBoxTROA.Text);
cmd.Parameters.AddWithValue("@INSTRUCTIO", TextBoxInstr.Text);
cmd.Parameters.AddWithValue("@RESEARCH", TextBoxRes.Text);
cmd.Parameters.AddWithValue("@PUBLIC_SER", TextBoxPubS.Text);
cmd.Parameters.AddWithValue("@ACADEMIC_S", TextBoxAcad.Text);
cmd.Parameters.AddWithValue("@STUDENT_SE", TextBoxStudS.Text);
cmd.Parameters.AddWithValue("@INSTITUTIO", TextBoxInstiS.Text);
cmd.Parameters.AddWithValue("@PHYSICAL_P", TextBoxOperM.Text);
cmd.Parameters.AddWithValue("@SCHOLARSHI", TextBoxSFEDA.Text);
cmd.Parameters.AddWithValue("@AUXILIARY_", TextBoxAuxE.Text);
cmd.Parameters.AddWithValue("@HOSPITALS", TextBoxHosS.Text);
cmd.Parameters.AddWithValue("@INDEPENDEN", TextBoxIndeO.Text);
cmd.Parameters.AddWithValue("@OTHEREXP", TextBoxOED.Text);
cmd.Parameters.AddWithValue("@TOTASSETS", TextBoxTA.Text);
cmd.Parameters.AddWithValue("@TOTLIABILITY", TextBoxTL.Text);
cmd.Parameters.AddWithValue("@NoNEXPPERMRESASSETS", TextBoxNPRNA.Text);
cmd.Parameters.AddWithValue("@EXPENDABLE", TextBoxETRNA.Text);
cmd.Parameters.AddWithValue("@UNRNETASSETS", TextBoxTUNA.Text);
cmd.Parameters.AddWithValue("@TOTALREV", TextBoxTR.Text);
cmd.Parameters.AddWithValue("@TUITFEES", TextBoxTFN.Text);
cmd.Parameters.AddWithValue("@CURRDEBT", TextBoxCD.Text);
cmd.Parameters.AddWithValue("@LONGTERMDEBT", TextBoxLTD.Text);
cmd.ExecuteNonQuery();
con.Close();
}
}
知道为什么会发生这种情况吗?
Any idea why this is happening?
推荐答案
您需要在SQL上加上引号
这样的事情应该有所帮助:
You need to add quotes to the SQL
Something like this should help:
SqlCommand scmd2 = new SqlCommand("Select INST_ID, INSTRUCTIO, RESEARCH, PUBLIC_SER, ACADEMIC_S, STUDENT_SE, INSTITUTIO, PHYSICAL_P, SCHOLARSHI, AUXILIARY_, HOSPITALS, INDEPENDEN, OTHEREXP, TOTASSETS, TOTLIABILITY, NoNEXPPERMRESASSETS, UNRNETASSETS, TOTALREV, TUITFEES, CURRDEBT, LONGTERMDEBT from TableFIN2012 where INST_ID = '" + TextBoxSchool.Text.ToString() + "'", con2);
您需要用单引号将TextBoxSchool.Text.ToString()返回的值括起来.也不必在TextBoxSchool.Text上使用.ToString(),因为它已经是字符串:
You need to surround the value thatTextBoxSchool.Text.ToString()returns with single quotes. It''s also not necessary to use.ToString()onTextBoxSchool.Text, because it is already a string:
SqlCommand scmd2 = new SqlCommand("Select INST_ID, INSTRUCTIO, RESEARCH, PUBLIC_SER, ACADEMIC_S, STUDENT_SE, INSTITUTIO, PHYSICAL_P, SCHOLARSHI, AUXILIARY_, HOSPITALS, INDEPENDEN, OTHEREXP, TOTASSETS, TOTLIABILITY, NoNEXPPERMRESASSETS, UNRNETASSETS, TOTALREV, TUITFEES, CURRDEBT, LONGTERMDEBT from TableFIN2012 where INST_ID = '" + TextBoxSchool.Text + "'", con2);
但是最好为此使用参数化查询(以避免 SQL Injecton [
But it''s better to use parameterized queries for this (to avoid SQL Injecton[^]):
SqlCommand scmd2 = new SqlCommand("Select INST_ID, INSTRUCTIO, RESEARCH, PUBLIC_SER, ACADEMIC_S, STUDENT_SE, INSTITUTIO, PHYSICAL_P, SCHOLARSHI, AUXILIARY_, HOSPITALS, INDEPENDEN, OTHEREXP, TOTASSETS, TOTLIABILITY, NoNEXPPERMRESASSETS, UNRNETASSETS, TOTALREV, TUITFEES, CURRDEBT, LONGTERMDEBT from TableFIN2012 where INST_ID = @INST_ID", con2);
scmd2.Parameters.AddWithValue("@INST_ID", TextBoxSchool.Text);
使用参数时,无需在@INST_ID周围加上单引号.
When using parameters, you don''t need to surround @INST_ID with single quotes.
在SQL语句中使用文本(字符串)值时,必须将其括在撇号中('').
When you use a text (string) value in a SQL statement, it must be surrounded by apostrophes ('').
...
...
... where INST_ID = '" + TextBoxSchool.Text.ToString() + "';"
就是说, 不是 不是将用户输入(文本框)中的字符串值直接嵌入到SQL语句中的最佳实践.这样做可以启用SQL注入攻击.最佳实践是使用SQLParameter类将参数传递给SQLCommand对象.
使用SQLParameter的示例
That said, it is not a best practice to embed string values from user input (textboxes) directly into SQL statements. Doing that enables SQL Injection Attacks. A best practice is to use the SQLParameter Class to pass parameters to the SQLCommand object.
Example using SQLParameter
scmd2.Parameters.AddWithValue(@instid,TextBoxSchool.Text);
...
...
... where INST_ID = @instid;"
这篇关于我在'='附近有不正确的语法.的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
