values子句中指定的insert语句值中有更多列 [英] There are more columns in the insert statement values specified in the values clause
本文介绍了values子句中指定的insert语句值中有更多列的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我有问题
i add btn
i have problem
i add btn
cmd = New SqlCommand("insert into TBLSubScriptions ([Name],[PhoneNo],[Weight],[Length],[TimeClass],[subscriptionStart],[subscriptionEnd])
values ('" & txtName.Text & "','" & txtphone.Text & "','" & txtwigh.Text & "," & txtLength.Text & "','" & comoTimecl.Text & "','" & txtDatest.Value.Date & "','" & txtenddate.Value.Date & "')", con)
i有错误
在值中指定的insert语句值中有更多列条款
我尝试了什么:
i会尝试但是没有解决
i尝试解决但是noway
i have error
there are more columns in the insert statement values specified in the values Clause
What I have tried:
i will tried but no solve
i tried solve but noway
cmd = New SqlCommand("insert into TBLSubScriptions ([Name],[PhoneNo],[Weight],[Length],[TimeClass],[subscriptionStart],[subscriptionEnd])
values ('" & txtName.Text & "','" & txtphone.Text & "','" & txtwigh.Text & "," & txtLength.Text & "','" & comoTimecl.Text & "','" & txtDatest.Value.Date & "','" & txtenddate.Value.Date & "')", con)
推荐答案
格式化sql查询字符串易受攻击到 SQL注入 [ ^ ]攻击
总是使用参数化查询以防止SQL Server中的SQL注入攻击 [ ^ ]
Formatting the sql Query string is vulnerable to SQL Injection[^] attacks
always use Parameterized queries to prevent SQL Injection Attacks in SQL Server[^]
cmd = New SqlClient.SqlCommand("insert into TBLSubScriptions (Name,PhoneNo,Weight,Length,TimeClass,subscriptionStart,subscriptionEnd)values (@Name,@PhoneNo,@Weight,@Length,@TimeClass,@subscriptionStart,@subscriptionEnd)")
cmd.Parameters.AddWithValue("@Name", txtName.Text)
cmd.Parameters.AddWithValue("@PhoneNo", txtphone.Text)
cmd.Parameters.AddWithValue("@Weight", txtwigh.Text)
cmd.Parameters.AddWithValue("@Length", txtLength.Text)
cmd.Parameters.AddWithValue("@TimeClass", comoTimecl.Text)
cmd.Parameters.AddWithValue("@subscriptionStart", txtDatest.Value.Date)
cmd.Parameters.AddWithValue("@subscriptionEnd", txtenddate.Value.Date)
永远不要通过与用户输入连接来构建SQL查询,它被命名为SQL注入,这对您的数据库很危险并且容易出错。 br />
名称中的单引号和程序崩溃。如果像Brian O'Conner这样的用户输入可能会使您的应用程序崩溃,那么这是一个SQL注入漏洞。
SQL注入 - 维基百科 [ ^ ]
SQL注入 [ ^ ]
您的实际问题是与您的数据匹配的单引号
Never build an SQL query by concatenating with user inputs, it is named "SQL injection", it is dangerous for your database and error prone.
A single quote in a name and your program crash. If a user input like "Brian O'Conner" can crash your app, it is an SQL injection vulnerability.
SQL injection - Wikipedia[^]
SQL Injection[^]
Your actual problem is about single quotes matching with your data
' Error here V and V
& txtphone.Text & "','" & txtwigh.Text & "," & txtLength.Text & "','" & comoTimecl.Text &
如果您使用参数化查询,它会更清晰。
但是看一下txtwigh.text,之后没有单引号,因此它与下一个字段合并。
If you used a parameterised query it would make it clearer.
However look at txtwigh.text, no single quote after, thus it merges with the next field.
这篇关于values子句中指定的insert语句值中有更多列的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文