当我尝试存储用户名和城市时,它显示错误(db是SQL SERVER2008) [英] When I try to store the username and city it shows error(db is SQL SERVER2008)
问题描述
关键字'table'附近的语法不正确。
protected void Button2_Click(object sender,EventArgs e)
{
//字符串查询;
string str =数据源= HIMANSHU- PC;初始目录= new1;集成安全性=真;
SqlConnection con = new SqlConnection(str);
con.Open();
string query =insert into table dbinfo values('+ TextBox1.Text +','+ TextBox2.Text +');
SqlCommand cmd = new SqlCommand(query, con);
cmd.ExecuteNonQuery();
con.Close();
}
Incorrect syntax near the keyword 'table'.
protected void Button2_Click(object sender, EventArgs e)
{
// string query;
string str = "Data Source=HIMANSHU-PC;Initial Catalog=new1;Integrated Security=True";
SqlConnection con = new SqlConnection(str);
con.Open();
string query = "insert into table dbinfo values('" + TextBox1.Text + "','" + TextBox2.Text + "')";
SqlCommand cmd = new SqlCommand(query,con);
cmd.ExecuteNonQuery();
con.Close();
}
推荐答案
不要在代码后面使用查询!您是否听说过SQL注入
?
请参阅我的过去的答案 [ ^ ]。
Do not use queries in code behind! Have you ever heard aboutSQL Injection
?
Please, see my past answers[^].
您的代码容易受到 SQL注入
Google首先,你需要更多的实践
无需在您的查询中使用表格,
试试这个,
string query =插入dbinfo值('+ TextBox1.Text +','+ TextBox2.Text +');
Google it first,You need some more practices
No need to use"table" in your query,
Try this,
string query = insert into dbinfo values('" + TextBox1.Text + "','" + TextBox2.Text + "')";
这篇关于当我尝试存储用户名和城市时,它显示错误(db是SQL SERVER2008)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!