我不断收到此错误：“预期结束语”。 [英] I keep getting this error: "End of Statement Expected".

问题描述

cmd.CommandText = " update studet set name='"&TextBox1.Text "','"&textbox2.Text "','"&TextBox3.Text '",total='"&TextBox4.Text& '" where id='"&Textbox1.Text'" "

推荐答案

你可能会错过一些& amp ;的。尝试

cmd.CommandText =update studet set name ='& TextBox1.Text&'，'& textbox2.Text&'，'& ; TextBox3.Text&'，total ='& TextBox4.Text& 'where id ='& Textbox1.Text'

You may be missing a few &'s. Try
cmd.CommandText = " update studet set name='"&TextBox1.Text&"','"&textbox2.Text&"','"&TextBox3.Text &'",total='"&TextBox4.Text& '" where id='"&Textbox1.Text'" "

从一开始你的方法就错了。您永远不应该通过连接从UI获取的字符串来创建查询。相反，您需要使用参数化语句。请参阅： http://msdn.microsoft.com/en-us/library/ff648339.aspx [ ^ ]。



如果你这样做，你的应用程序完全容易受到众所周知的漏洞的攻击： SQL注入。用户可以在UI中编写任何内容，包括一些SQL片段。你明白了吗？具体方法如下： http://xkcd.com/327 [ ^ ]。



请查看我过去的答案：

EROR IN com.ExecuteNonQuery（）; [ ^ ]，

名称未显示在名称中？ [ ^ ]。

-SA

Your approach is wrong from the very beginning. You should never create a query by concatenation of string taken from your UI. Instead, you need to use parametrized statements. Please see: http://msdn.microsoft.com/en-us/library/ff648339.aspx[^].

If you do it your way, you make your application totally vulnerable to a well-known exploit: SQL Injection. The user can write anything in the UI, including some SQL fragment. Are you getting the idea? This is how: http://xkcd.com/327[^].

Please see my past answers:
EROR IN UPATE in com.ExecuteNonQuery();[^],
hi name is not displaying in name?[^].

—SA

这篇关于我不断收到此错误：“预期结束语”。的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！