'''附近的语法不正确。如何解决它Plz帮助 [英] Incorrect Syntax Near '('. How Do I Solve It Plz Help
本文介绍了'''附近的语法不正确。如何解决它Plz帮助的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
try
{
byte[] img = null;
FileStream fs = new FileStream(imgLoc, FileMode.Open, FileAccess.Read);
BinaryReader br = new BinaryReader(fs);
img = br.ReadBytes((int)fs.Length);
string sql = "SET IDENTITY_INSERT studentregister(Sid,fname,lastname,address,email,contact,payment,image)VALUES("+sid.Text+",'"+sfn.Text+"','"+sln.Text+"','"+ ad.Text+"','"+mail.Text+"','"+ct.Text+"','"+pn.Text+"',@img)";
if (con.State != ConnectionState.Open)
con.Open();
command = new SqlCommand(sql,con);
command.Parameters.Add(new SqlParameter("@img", img));
int x = command.ExecuteNonQuery();
con.Close();
MessageBox.Show(x.ToString() + "Record Saved");
}
catch (Exception ex) {
con.Close();
MessageBox.Show(ex.Message);
}
}
[edit]已添加代码块 - OriginalGriff [/ edit]
[edit]Code block added - OriginalGriff[/edit]
推荐答案
你的sql语句的语法改变如下,并使用参数
syntax of your sql statement change as below and also use parameters
byte[] img = null;
FileStream fs = new FileStream(imgLoc, FileMode.Open, FileAccess.Read);
BinaryReader br = new BinaryReader(fs);
img = br.ReadBytes((int)fs.Length);
using (var connection = new SqlConnection("Connection String here"))
{
connection.Open();
var query = "SET IDENTITY_INSERT studentregister ON; INSERT INTO studentregister (Sid,fname,lastname,address,email,contact,payment,image)"+
" VALUES (@Sid,@fname,@lastname,@address,@email,@contact,@payment,@image); SET IDENTITY_INSERT studentregister OFF;";
using (var command = new SqlCommand(query, connection))
{
command.Parameters.AddWithValue("@Sid", sid.Text);
command.Parameters.AddWithValue("@fname", sfn.Text);
command.Parameters.AddWithValue("@lastname", sln.Text);
command.Parameters.AddWithValue("@address", ad.Text);
command.Parameters.AddWithValue("@email", mail.Text);
command.Parameters.AddWithValue("@contact", ct.Text);
command.Parameters.AddWithValue("@payment", pn.Text);
command.Parameters.AddWithValue("@image", img);
command.ExecuteNonQuery();
}
}
嗯。
你的SQL有几个问题。
您注意到的是INSERT INTO部分缺失
尝试:
Um.
Your SQL has a couple of problems.
The one you have noticed is that the INSERT INTO part is missing
Try:
string sql = "SET IDENTITY_INSERT; INSERT INTO studentregister(Sid,fname,lastname,address,email,contact,payment,image)VALUES("+sid.Text+",'"+sfn.Text+"','"+sln.Text+"','"+ ad.Text+"','"+mail.Text+"','"+ct.Text+"','"+pn.Text+"',@img)";
应该更好。
但是......不要连接字符串来构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度,这可能会破坏您的整个数据库。改为使用参数化查询。
为什么使用部分参数化的查询,但是将真正危险的位保留为连接文本?
Should work better.
But...Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
Why are you using a query which is partially parametrized, but which leaves the really dangerous bits as concatenated text?
从一开始你的方法就错了。您永远不应该通过连接从UI获取的字符串来创建查询。相反,您需要使用参数化语句。请参阅: http://msdn.microsoft.com/en-us/library/ff648339.aspx [ ^ ]。
如果你这样做,你的应用程序完全容易受到众所周知的漏洞的攻击: SQL注入。用户可以在UI中编写任何内容,包括一些SQL片段。你明白了吗?具体方法如下: http://xkcd.com/327 [ ^ ]。
请查看我过去的答案:
EROR IN com.ExecuteNonQuery(); [ ^ ],
名称未显示在名称中? [ ^ ]。
-SA
Your approach is wrong from the very beginning. You should never create a query by concatenation of string taken from your UI. Instead, you need to use parametrized statements. Please see: http://msdn.microsoft.com/en-us/library/ff648339.aspx[^].
If you do it your way, you make your application totally vulnerable to a well-known exploit: SQL Injection. The user can write anything in the UI, including some SQL fragment. Are you getting the idea? This is how: http://xkcd.com/327[^].
Please see my past answers:
EROR IN UPATE in com.ExecuteNonQuery();[^],
hi name is not displaying in name?[^].
—SA
这篇关于'''附近的语法不正确。如何解决它Plz帮助的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
