关键字'where'附近的语法不正确。 [英] Incorrect syntax near the keyword 'where'.

问题描述

我正在使用c＃2010创建Windows应用程序，这里我使用数据网格视图进行计费，但是将网格视图值保存到数据库以下错误来了

关键字' 其中'附近的语法不正确。 
 
 SqlCommand cmd2 =  new  SqlCommand（  update stkdetails set customer = customer + + rows.Cells [ 7 ]。值+  其中empname =' + rows.Cells [ 2 ]。值+  'and date =' + txtdate.Text +  '，con2）; 

任何一个给我一些想法如何解决上面的错误



我尝试过：

关键字附近的语法不正确' 其中'。

解决方案

请阅读 bobby- tables.com：指南t o在某人销毁之前阻止SQL注入 [ ^ ]您的数据库。

这是一个非常非常简单的错误，您可以自行修复，因为错误告诉您完全问题是什么。我并不是说听起来很粗鲁，但是修复它会比发布这个问题并等待回复要快得多。



其次，使用参数化查询。你现在拥有代码的方式，我可以很容易地破解你的数据库。你有非常不安全的代码。



类似于：

 SqlCommand cmd2 =  new  SqlCommand（  update stkdetails set customer = customer + @customer where empname = @ empName and ...，con2）; 
 cmd2.Parameters.AddWithValue（ @customer  ， row.Cells [7] .Value）; 
 cmd2.Parameters.AddWithValue（ @empName  ，rows.Cells [2] .Value）; 
 ... 
 //你完成剩下的工作。非常非常简单。 

构建查询的方式的问题是错误与否取决于变量包含。

变量被提升为SQL代码并且恶意值打开了大门SQL注入。参数的使用可以解决这两个问题。

SQL注入 - 维基百科 [ ^ ]

SQL注入 [ ^ ]

I am creating windows application using c# 2010, here i am using data grid view for billing purpose, but save the grid view values to data base below error is came

Incorrect syntax near the keyword 'where'.

 SqlCommand cmd2 = new SqlCommand("update stkdetails set customer=customer+" + rows.Cells[7].Value + " where empname='" + rows.Cells[2].Value + "'and date='" + txtdate.Text + "'", con2);

any one give me some ideas how to solve above error

What I have tried:

Incorrect syntax near the keyword 'where'.

解决方案

Please read bobby-tables.com: A guide to preventing SQL injection[^], before someone destroys your database.

This is a very, very simple error to fix on your own because the error tells you exactly what the problem is. I do not mean to sound rude, but it would be much faster for you to fix it than it takes to post this question and wait for a response.

Secondly, use a parameterized query. The way you have your code now, I could hack your db very easily. You have very unsafe code.

Something like:

SqlCommand cmd2 = new SqlCommand("update stkdetails set customer= customer+ @customer where empname=@empName and..., con2);
cmd2.Parameters.AddWithValue("@customer", row.Cells[7].Value);
cmd2.Parameters.AddWithValue("@empName", rows.Cells[2].Value);
...
// you finish the rest.  Very, very simple.

The problem with the way you build the query is that the error or not depend on variables contain.
The variables are promoted to SQL code and a malicious value opens the door to SQL Injection. The use of parameters may br the solution to both problems.
SQL injection - Wikipedia[^]
SQL Injection[^]

这篇关于关键字'where'附近的语法不正确。的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！