使用访问DB插入到语句中的语法错误 [英] Syntax error in Insert into statement using access DB
本文介绍了使用访问DB插入到语句中的语法错误的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
嗨大家好,
我正在使用访问数据库来插入值,以下是代码:
public Int32 InsertUser( string firstnm, string lastnm, string unm, string pwd, string 添加,字符串电子邮件, string contact)
{
int i = 0 ;
OleDbConnection con = GetConnection();
OleDbCommand cmd = new OleDbCommand( insert进入usermaster(FullName,UserName,Password,Address,EmailID,ContactNo)值(' + firstnm + + lastnm + ',' + unm + ',' + pwd + ',' + add + ',' + email + ',' + contact + '),con);
con.Open();
i = cmd.ExecuteNonQuery();
con.Close();
return i;
}
现在,当我使用VS运行它时,它给出了错误插入声明中的语法错误,但是当我使用相同的命令并通过Access查询向导运行它来执行。
那么问题出在哪里。任何帮助。
解决方案
只是添加到Mehdi所说的内容:
不要连接字符串来构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度,这可能会破坏您的整个数据库。请改用参数化查询。很有可能会解决你发现的问题。
这里还有另外两个问题:
1)你完成后应该处理OleDb对象:
使用(OleDbConnection con = GetConnection())
{
使用(OleDbCommand cmd = new OleDbCommand( INSERT INTO usermaster(FullName,UserName,Password,Address,EmailID,ContactNo)VALUES(@NM,@ UN,@ PW,@ AD,@ EM,@ CN), con))
{
cmd.Parameters.AddWithValue( @ NM ,firstnm + + lastnm);
cmd.Parameters.AddWithValue( @ UN,unm);
cmd.Parameters.AddWithValue( @ PW,pwd);
cmd.Parameters.AddWithValue( @ AD,添加);
cmd.Parameters.AddWithValue( @ EM,email);
cmd.Parameters.AddWithValue( @ CN,contact);
con.Open();
return (cmd.ExecuteNonQuery());
}
}
2)绝不以明文形式存储密码 - 这是一个主要的安全风险。有关如何在此处执行此操作的信息:密码存储:如何做到这一点。 [ ^ ]
使用参数查询而不是字符串连接: http://www.mikesdotnetting.com/article/26/parameter-queries-in-asp-net-with-ms-access [<一个href =http://www.mikesdotnetting.com/article/26/parameter-queries-in-asp-net-with-ms-accesstarget =_ blanktitle =新窗口> ^ ]
Hi Guys,
I am using access Database to insert values, following is the code:
public Int32 InsertUser(string firstnm, string lastnm, string unm, string pwd, string add, string email, string contact)
{
int i = 0;
OleDbConnection con = GetConnection();
OleDbCommand cmd = new OleDbCommand("insert into usermaster(FullName,UserName,Password,Address,EmailID,ContactNo) values('" + firstnm + " " + lastnm + "','" + unm + "','" + pwd + "','" + add + "','" + email + "','" + contact + "')", con);
con.Open();
i = cmd.ExecuteNonQuery();
con.Close();
return i;
}
Now when I am running it with VS it gives me Error "SYNTAX ERROR IN INSERT INTO STATEMENT" but when I use the same command and run it through Access query wizard it gets executed.
So where is the problem. Any help.
解决方案
Just to add to what Mehdi says:
Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead. The chances are that will cure the problem you have spotted.
There are two other problems here:
1) You should Dispose OleDb objects when you are finished with them:
using (OleDbConnection con = GetConnection()) { using (OleDbCommand cmd = new OleDbCommand("INSERT INTO usermaster (FullName,UserName,Password,Address,EmailID,ContactNo) VALUES (@NM, @UN, @PW, @AD, @EM, @CN)", con)) { cmd.Parameters.AddWithValue("@NM", firstnm + " " + lastnm); cmd.Parameters.AddWithValue("@UN", unm); cmd.Parameters.AddWithValue("@PW", pwd); cmd.Parameters.AddWithValue("@AD", add); cmd.Parameters.AddWithValue("@EM", email); cmd.Parameters.AddWithValue("@CN", contact); con.Open(); return (cmd.ExecuteNonQuery()); } }
2) Never store passwords in clear text - it is a major security risk. There is some information on how to do it here: Password Storage: How to do it.[^]
Use parameter queries instead of string concatenation : http://www.mikesdotnetting.com/article/26/parameter-queries-in-asp-net-with-ms-access[^]
这篇关于使用访问DB插入到语句中的语法错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
