update语句中的语法错误 [英] Syntax error in update statement
本文介绍了update语句中的语法错误的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
private void btnsave_Click(object sender, EventArgs e)
{
if (btnsave.Text == "Save")
{
conn.ConnectionString = @"Provider=Microsoft.Jet.OLEDB.4.0;Data Source=c:\Users\Ashutosh\Documents\Visual Studio 2015\Projects\Practicle MCA\Practicle MCA\MCA_IV.mdb";
com.CommandText = "INSERT INTO Student_info (R_YEAR,CLASS,FIRST_NAME,LAST_NAME,DOB,AGE,FAT_NAME,MOT_NAME,NATIONALITY,CITY,ADDRESS,PIN,CONTACT,EMAIL)VALUES('" + tbyear.Text + "','" + Cbclass.Text + "','" + tbfname.Text + "','" + tblastname.Text + "','" + tbdob.Text + "','" + tbage.Text + "','" + tbfathername.Text + "','" + tbmothername.Text + "','" + cbnationality.Text + "','" + tbcitydist.Text + "','" + tbadress.Text + "','" + tbpin.Text + "','" + tbcontact.Text + "','" + tbemail.Text + "')";
conn.Open();
com.Connection = conn;
com.ExecuteNonQuery();
conn.Close();
}
else if (btnsave.Text == "Update")
{
conn.ConnectionString = @"Provider=Microsoft.Jet.OLEDB.4.0;Data Source=c:\Users\Ashutosh\Documents\Visual Studio 2015\Projects\Practicle MCA\Practicle MCA\MCA_IV.mdb";
string s = "UPDATE Student_info SET R_YEAR='" + tbyear.Text + "',CLASS='" + Cbclass.Text + "',FIRST_NAME='" + tbfname.Text + "',LAST_NAME='" + tblastname.Text + "',DOB='" + tbdob.Text + "',AGE='" + tbage.Text + "',FAT_NAME='" + tbfathername.Text + "',MOT_NAME='" + tbmothername.Text + "',NATIONALITY='" + cbnationality.Text + "',CITY='" + tbcitydist.Text + "',ADDRESS='" + tbadress.Text + "',PIN='" + tbpin.Text + "',CONTACT='" + tbcontact.Text + "',EMAIL'" + tbemail.Text + "', where ID='"+ int.Parse(cbid.Text);
OleDbCommand com = new OleDbCommand();
com.Connection = conn;
com.CommandText = s;
conn.Open();
com.ExecuteNonQuery();
}
conn.Close();
}
推荐答案
这几乎每天都会出现。标准答案如下:
Google用于C#参数化SQL查询。
另一个问题是你使用字符串连接来构建SQL查询。您真正在做的是将您的代码打开到SQL注入攻击并冒着破坏整个数据库的风险。
This comes up almost every single day. The standard answer is this:
Google for "C# Parameterized SQL queries".
Another problem is that you're using string concatenation to build an SQL query. What you're really doing is opening up your code to SQL Injection Attacks and risking destroying your entire database.
这篇关于update语句中的语法错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
