如何解决这个错误？ [英] How to solve this error ?

问题描述

con.Open();
          string query = "insert into staff_doc values (" + textBox1.Text + " , '" + textBox2.Text + "' , '" + textBox3.Text + "' , '" + textBox4.Text + "' , '" + comboBox1.Text + "' , '" + comboBox2.Text + "' , '" + comboBox3.Text + "' , '" + textBox5.Text + "' , '" + textBox6.Text + "' , '" + textBox7.Text + "' , '" + textBox8.Text + "' , '" + textBox9.Text + "')";
          cmd = new SqlCommand(query, con);
          cmd.ExecuteNonQuery();
          MessageBox.Show("Data Added");
          clear();
          cmd.Dispose();
          con.Close();

      }
      public void clear()
      {
          textBox1.Text = "";
          textBox2.Text = "";
          textBox3.Text = "";
          textBox4.Text = "";
          textBox5.Text = "";
          textBox6.Text = "";
          textBox7.Text = "";
          textBox8.Text = "";
          textBox9.Text = "";

      }

while submitting

Incorrect syntax near ','.

我尝试了什么：



我在我的知识水平上尝试但是我无法纠正它。

What I have tried:

I tried at my knowledge level but i cant rectified it.

推荐答案

始终使用 SQLParameters 将值传递给sql语句，不要连接字符串。它将导致 SQL注入 [ ^ ]

Always use SQLParameters to pass values to the sql statement, dont concatenate the strings. It will lead to SQL Injection[^]

con.Open();
          string query = "insert into staff_doc values (@value1,@value2,@value3,@value4,@value5,@value6,@value7,@value8,@value9,@value10,@value11,@value12)";
          cmd = new SqlCommand(query, con);
          cmd.Parameters.Add("@value1", textBox1.Text);
          cmd.Parameters.Add("@value2", textBox2.Text);
          cmd.Parameters.Add("@value3", textBox3.Text);
          cmd.Parameters.Add("@value4", textBox4.Text);
          cmd.Parameters.Add("@value5", comboBox1.Text);
          cmd.Parameters.Add("@value6", comboBox2.Text);
          cmd.Parameters.Add("@value7", comboBox3.Text);
          cmd.Parameters.Add("@value8", textBox5.Text);
          cmd.Parameters.Add("@value9", textBox6.Text);
          cmd.Parameters.Add("@value10", textBox7.Text);
          cmd.Parameters.Add("@value11", textBox8.Text);
          cmd.Parameters.Add("@value12", textBox9.Text);

由于您没有提供数据库结构和文本框/组合框的值，因此无法判断为什么会出现此错误。



通过按照您的方式构建请求，有效性取决于文本框/组合框的值。如果一个包含'，则足以确保出现错误，如果该值是针对注射制作的，则可能是最差的。

SQL注入 [ ^ ]



始终建议使用Karthik所描述的参数。

It is not possible to tell why you get this error because you didn't gave the database structure and the values of the textboxes/comboboxes.

By building the request the way you do, the validity depend on the value of the textboxes/comboboxes. if one contain a ', it is enough to ensure an error and it can be worst if the value is crafted for an injection.
SQL Injection[^]

It is always recommended to use parameters as described by Karthik.

如果遇到该错误消息，则某些变量为空。空变量是并排逗号的原因。您必须使用SqlCommand参数。你应该在检查变量中的正确值之前。

if you encounter that error message, some variables is empty. Empty variables is cause to come side by side commas. You have to use the SqlCommand Parameters. Either you should before check correct value in variables.

这篇关于如何解决这个错误？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！