您的SQL语法有错误; MYSQL [英] You have an error in your SQL syntax; MYSQL
问题描述
嗨!
这是我用过的代码:
Hi!
This is the code I have used:
sqlinsert.CommandText = "INSERT INTO checkreordercritical VALUES ('" & ds2.Tables("Products").Rows(0).Item(0) & "','" & ds2.Tables("Products").Rows(0).Item(1) & "','" & ds2.Tables("Products").Rows(0).Item(2) & "','" & ds2.Tables("Products").Rows(0).Item(3) & "','" & ds2.Tables("Products").Rows(0).Item(4) & "','" & ds2.Tables("Products").Rows(0).Item(5) & "','" & ds2.Tables("Products").Rows(0).Item(6) & "','" & ds2.Tables("Products").Rows(0).Item(7) & "','" & ds2.Tables("Products").Rows(0).Item(8) & "','" & ds2.Tables("Products").Rows(0).Item(9) & "','" & ds2.Tables("Products").Rows(0).Item(10) & "','" & ds2.Tables("Products").Rows(0).Item(11) & "','" & ds2.Tables("Products").Rows(0).Item(12) & "','" & ds2.Tables("Products").Rows(0).Item(13) & "','" & ds2.Tables("Products").Rows(0).Item(14) & "','" & ds2.Tables("Products").Rows(0).Item(15) & "','" & ds2.Tables("Products").Rows(0).Item(16) & "','" & ds2.Tables("Products").Rows(0).Item(17) & "','" & ds2.Tables("Products").Rows(0).Item(18) & "','" & ds2.Tables("Products").Rows(0).Item(19) & "','Reorder')"
但是,我收到了这个错误:
您的SQL语法有错误;查看与MySQL服务器版本对应的手册,以便在'5 OUNCES','Green','0','0','0','koko','0','60'附近使用正确的语法,第1行'20','10','0','LA','Re'
请帮帮我。提前谢谢!上帝保佑
However, I got this error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '5 OUNCES','Green','0','0','0','koko','0','60','20','10','0','LA','Re' at line 1
Please help me with this. Thanks in advance!God bless
推荐答案
请不要这样做!永远不要连接字符串以形成SQL查询 - 它让您对SQL注入攻击持开放态度,并使查询更难以阅读和调试。改为使用参数化查询:
Please don;t do it like that! Never concatenate strings to form an SQL query - it leave you wide open to SQL Injection attacks, and makes queryies much harder to read and debug than they need to be. Use Parameterized queries instead:
sqlinsert.CommandText = "INSERT INTO checkreordercritical VALUES (@C0, @C1, @C2, @C3 ...
sqlinsert.Parameters.AddWithValue("@C0", ds2.Tables("Products").Rows(0).Item(0))
sqlinsert.Parameters.AddWithValue("@C1", ds2.Tables("Products").Rows(0).Item(1))
sqlinsert.Parameters.AddWithValue("@C2", ds2.Tables("Products").Rows(0).Item(2))
...它使阅读更容易(因为你不需要使用单引号)而且它更安全。机会是,你语法错误将同时消失,因为它可能是由您组装SQL命令的数据中的单引号引起的!
It makes it easier to read (because you don't need to use the single quotes) and it's safer. Chances are, you syntax error will disappear at the same time, because it is probably caused by a single quote in the data you are assembling your SQL command from!
这篇关于您的SQL语法有错误; MYSQL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
