's'附近的语法不正确 [英] incorrect syntax near 's'
本文介绍了's'附近的语法不正确的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我收到错误s'附近语法错误'
i'm getting error Incorrect syntax near s'
da = new SqlDataAdapter("insert into rsa_addtocart(UserId,productid,productname,ProductImage,price,qty,totalcost,cdate)values(" + Convert.ToInt32(Session["users"].ToString()) + "," + Convert.ToInt32(ds.Tables[0].Rows[0][0].ToString()) + ",'" + ds.Tables[0].Rows[0][1].ToString() + "','" + ds.Tables[0].Rows[0][3].ToString() + "'," + Convert.ToDecimal(ds.Tables[0].Rows[0][2].ToString()) + ",1," + Convert.ToDecimal(ds.Tables[0].Rows[0][2].ToString()) + ",getdate())", con);
da.SelectCommand.ExecuteNonQuery();
如果产品名称没有撇号我没有收到任何错误但是有撇号它会引发异常所以试图使用参数化查询但不知道如何获取ProductImage参数中的值
If product name is without apostrophe i'm not getting any error but with apostrophe it throws an exception so tried to use the parameterized queries but don't know how to get values in parameters for ProductImage
ProductImage,ds.Tables[0].Rows[0][3].ToString()
请帮我解决这个问题。
please help me to solve this.
推荐答案
不要连接字符串来构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度,这可能会破坏您的整个数据库。请改用参数化查询。
这可能会同时解决您的问题。
Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
The chances are that that will cure your problem at the same time.
using (SqlCommand cmd = new SqlCommand("insert into rsa_addtocart(UserId,productid,productname,ProductImage,price,qty,totalcost,cdate)values(@UID, @PID, @PN, @PI, @PR, @QTY, @TC, GETDATE())", con))
{
cmd.Parameters.AddWithValue("@UID", Convert.ToInt32(Session["users"]));
cmd.Parameters.AddWithValue("@PID", Convert.ToInt32(ds.Tables[0].Rows[0][0]);
cmd.Parameters.AddWithValue("@PN", ds.Tables[0].Rows[0][1]);
cmd.Parameters.AddWithValue("@PI", ds.Tables[0].Rows[0][3]);
cmd.Parameters.AddWithValue("@PR", Convert.ToDecimal(ds.Tables[0].Rows[0][2]);
cmd.Parameters.AddWithValue("@QTY", 1);
cmd.Parameters.AddWithValue("@TC", Convert.ToDecimal(ds.Tables[0].Rows[0][2]);
cmd.ExecuteNonQuery();
}
错过硬编码值![/ edit]
[edit]Missed that hard coded value![/edit]
您的代码容易受到 SQL注入 [ ^ ]。
从不使用字符串连接来构建SQL查询。总是使用参数化查询。
Your code is vulnerable to SQL Injection[^].
NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.
using (var command = new SqlCommand("insert into rsa_addtocart (UserId, productid, productname, ProductImage, price, qty, totalcost, cdate) values (@UserId, @productid, @productname, @ProductImage, @price, @qty, @totalcost, @cdate)", con))
{
command.Parameters.AddWithValue("@UserId", Session["users"]);
command.Parameters.AddWithValue("@productid", ds.Tables[0].Rows[0][0]);
command.Parameters.AddWithValue("@productname", ds.Tables[0].Rows[0][1]);
command.Parameters.AddWithValue("@ProductImage", ds.Tables[0].Rows[0][3]);
command.Parameters.AddWithValue("@price", ds.Tables[0].Rows[0][2]);
command.Parameters.AddWithValue("@qty", 1);
command.Parameters.AddWithValue("@totalcost", ds.Tables[0].Rows[0][2]);
command.Parameters.AddWithValue("@cdate", DateTime.Now);
if (con.State != ConnectionState.Open)
{
con.Open();
try
{
command.ExecuteNonQuery();
}
finally
{
con.Close();
}
}
else
{
command.ExecuteNonQuery();
}
}
这篇关于's'附近的语法不正确的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
