字符串')'后面的未闭合引号。 [英] Unclosed quotation mark after the character string ')'.
问题描述
System.Data.dll中发生了'System.Data.SqlClient.SqlException'类型的未处理异常
附加信息:','附近的语法不正确。
字符串')'后面的闭合引号。
我尝试了什么:
使用System;
使用System.Collections.Generic;
使用System。 ComponentModel;
使用System.Data;
使用System.Drawing;
使用System.Linq;
使用System.Text;
使用System.Threading.Tasks;
使用System.Windows.Forms;
使用System.Data.SqlClient; < br $>
命名空间perform_IUD_operations
{
公共部分类Form1:表格
{
public Form1()
{
InitializeComponent();
}
SqlConnection con = new SqlConn ection(Data Source = localhost; Initial Catalog = dataentry; Integrated Security = True; Pooling = False);
private void btnsava_Click(object sender,EventArgs e)
{
con.Open();
SqlDataAdapter sda = new SqlDataAdapter(Insert into [Data Entry](Id,Name,Gender) ,年龄,薪水,税)值('+ textBox1.Text +','+ textBox2.Text +','+ comboBox1 +',+ textBox3.Text +','+ textBox4 .Text +','+ textBox5.Text +'),con);
sda.SelectCommand.ExecuteNonQuery();
con.Close() ;
MessageBox.Show(已保存成功);
}
}
}
An unhandled exception of type 'System.Data.SqlClient.SqlException' occurred in System.Data.dll
Additional information: Incorrect syntax near ','.
Unclosed quotation mark after the character string ')'.
What I have tried:
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Windows.Forms;
using System.Data.SqlClient;
namespace performing_IUD_operations
{
public partial class Form1 : Form
{
public Form1()
{
InitializeComponent();
}
SqlConnection con = new SqlConnection("Data Source=localhost;Initial Catalog=dataentry;Integrated Security=True;Pooling=False");
private void btnsava_Click(object sender, EventArgs e)
{
con.Open();
SqlDataAdapter sda = new SqlDataAdapter(" Insert Into [Data Entry] (Id,Name,Gender,Age,Salary,Tax) Values ('" + textBox1.Text + "','" + textBox2.Text + "','" + comboBox1 + "'," + textBox3.Text + "','" + textBox4.Text + "','" + textBox5.Text + "')" ,con);
sda.SelectCommand.ExecuteNonQuery();
con.Close();
MessageBox.Show("Saved sucessful");
}
}
}
推荐答案
永远不要通过与用户输入连接来构建SQL查询,它被命名为SQL注入,它对您的数据库很危险并且容易出错。
一个名字和你的程序中的单引号我崩溃了。如果像Brian O'Conner这样的用户输入可能会使您的应用程序崩溃,那么这是一个SQL注入漏洞。
SQL注入 - 维基百科 [ ^ ]
SQL注入 [ ^ ]
Never build an SQL query by concatenating with user inputs, it is named "SQL injection", it is dangerous for your database and error prone.
A single quote in a name and your program crash. If a user input like "Brian O'Conner" can crash your app, it is an SQL injection vulnerability.
SQL injection - Wikipedia[^]
SQL Injection[^]
在包含SQL命令的行中插入换行符。这样可以更容易地找到问题:
Insert line breaks to the line containing the SQL command. This makes it easier to find the problem:
SqlDataAdapter sda = new SqlDataAdapter(
" Insert Into [Data Entry] (Id,Name,Gender,Age,Salary,Tax) Values ('" +
textBox1.Text + "','" +
textBox2.Text + "','" +
comboBox1 + "'," +
textBox3.Text + "','" +
textBox4.Text + "','" +
textBox5.Text + "')" ,con);这是:
Here it is:
comboBox1 + "'," +它是m ust be
It must be
comboBox1 + "','" +(您可能必须使用 ComboBox 方法,例如 SelectedItem ) 。
虽然与问题无关,但了解 SQL注入 - 维基百科 [ ^ ]。
为了避免这些,请始终使用参数化查询。请参阅 SqlParameterCollection.AddWithValue方法(String,Object )(System.Data.SqlClient) [ ^ ]例如代码。
作为一个副作用,你将有更好的可读查询,不容易出错从你的问题。
[/ EDIT]
(and you probably have to use a ComboBox method like SelectedItem).
While not related to the question it is important to know about SQL injection - Wikipedia[^].
To avoid these always use parametrised queries. See SqlParameterCollection.AddWithValue Method (String, Object) (System.Data.SqlClient)[^] for example code.
As a side effect you will have better readable queries that are not prone to the errors from your question.
[/EDIT]
这篇关于字符串')'后面的未闭合引号。的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
