关键字“ORDER”附近的语法不正确 [英] Incorrect syntax near the keyword 'ORDER'

问题描述

关键字ORDER附近的语法不正确。

描述：执行当前Web请求期间发生了未处理的异常。请查看堆栈跟踪以获取有关错误及其源自代码的位置的更多信息。



异常详细信息：System.Data.SqlClient.SqlException：关键字'ORDER'附近的语法不正确。



亲爱的，

我得到的错误与上面相同，但不知道如何解决。

这是我的代码：

Incorrect syntax near the keyword 'ORDER'.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Data.SqlClient.SqlException: Incorrect syntax near the keyword 'ORDER'.

Dear all,
I get the error same as the above but no idea how to solve it.
Here is my code:

public DataTable getINASecKeywordList(String Shortcode)
        {
            DataTable dt = new DataTable();
            Database dbCon = DatabaseFactory.CreateDatabase("InaPremium");
            string cmd = "";
             string keyword = "";

            try
            {
               
               if (Shortcode == "All" || Shortcode == "")
                {
                   cmd = "SELECT DISTINCT(seckeyword) FROM INA_Keyword ORDER BY seckeyword";
                }
                else
                {

                    cmd = "SELECT DISTINCT(seckeyword) FROM INA_Keyword WHERE shortcode = "+ Shortcode + " AND keyword = " + keyword + " ORDER BY seckeyword";
                }
                using (DbCommand dbcmd = dbCon.GetSqlStringCommand(cmd))
                {
                    dbcmd.CommandType = CommandType.Text;
                    dbcmd.CommandTimeout = 100;
                    dt = dbCon.ExecuteDataSet(dbcmd).Tables[0];
                }
                return dt;
            }
            catch (Exception ex)
            {
                Logger.LogToFile(ConfigurationManager.AppSettings.Get("errLogPath") + "INADAC.txt", ex);
                throw;
            }
        }

我不知道解决关键字'附近的错误语法'ORDER' 。

请帮忙谢谢。



我尝试过：



尝试解决错误语法

I have no idea to solving for the "Incorrect syntax near the keyword 'ORDER'.
Please help thank you.

What I have tried:

Trying to solve the error that incorrect syntax

推荐答案

使用调试器并查看 cmd 看看你真正的查询是什么。



永远不要通过连接用户输入来构建SQL查询，它被命名为SQL注入，它很危险您的数据库容易出错。

名称中的单引号和程序崩溃。如果像Brian O'Conner这样的用户输入可能导致应用程序崩溃，那么这是一个SQL注入漏洞。 />
SQL注入 - 维基百科 [ ^ ]

SQL注入 [ ^ ]

Use a debugger and look at cmd to see what is your real query.

Never build an SQL query by concatenating with user inputs, it is named "SQL injection", it is dangerous for your database and error prone.
A single quote in a name and your program crash. If a user input like "Brian O'Conner" can crash your app, it is an SQL injection vulnerability.
SQL injection - Wikipedia[^]
SQL Injection[^]

您的查询错误。



cmd =SELECT DISTINCT（seckeyword）FROM INA_Keyword WHERE shortcode =+ Shortcode + AND keyword =+ keyword +ORDER BY seckeyword;



它应该是这样的



cmd =SELECT DISTINCT（seckeyword）FROM INA_Keyword WHERE shortcode ='+ Shortcode +'AND keyword ='+ keyword +'ORDER BY seckeyword;



正如其他提到的那样，这种方法容易受到sql注入攻击。检查OWASP指南。

Your query is wrong.

cmd = "SELECT DISTINCT(seckeyword) FROM INA_Keyword WHERE shortcode = "+ Shortcode + " AND keyword = " + keyword + " ORDER BY seckeyword";

It should be like this

cmd = "SELECT DISTINCT(seckeyword) FROM INA_Keyword WHERE shortcode = '"+ Shortcode + "' AND keyword = '" + keyword + "' ORDER BY seckeyword";

as other mentioned already this approach is vulnerable to sql injection attacks. Check OWASP guidelines.

这篇关于关键字“ORDER”附近的语法不正确的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！