插入到statment中的语法错误 [英] syntax error in insert into statment

问题描述

我的代码如下;

My code as follows;

private void Btn_Save_Click(object sender, EventArgs e)
      {
          for (int i = 0; i < DGVCalendar.RowCount; i++)
          {

              if (Convert.ToBoolean(this.DGVCalendar[0, i].Value) == true)
                 sql = "insert into Tb_Faculty_Availability ([Faculty_Code],[Available_date])" + " values('" + cb_Faculty_Code.Text + "','" + Convert.ToDateTime(DGVCalendar.Rows[i].Cells[1].Value.ToString()) + "',";
              try
              {
                  GFun.Error = "";
                  GFun.InsertAccessData(sql);
                  if (GFun.Error.ToString() != "")
                  {
                      MessageBox.Show(GFun.Error.ToString(), "Error");
                      this.Cursor = Cursors.Arrow;
                      return;
                  }
                  GFun.OleDbCon.Close();
                  MessageBox.Show("Records Inserted Successfully", "Record Inserted", MessageBoxButtons.OK, MessageBoxIcon.Information);
              }

              catch (Exception Ex)
              {
                  MessageBox.Show(Ex.ToString(), "Error");
                  this.Cursor = Cursors.Arrow;
                  return;
              }
          }
      }

在运行模式下如下;



从组合框中选择教员并选择月历，然后在数据网格视图中显示部分月选择日期。



然后保存datagridview中的选定日期在数据库中。





为此我写了一个代码



当我运行时单击保存按钮错误显示如下;



插入到语句中的语法错误。



我的查询如下;

in run mode as follows;

select the faculty from combobox and select the month calendar then partiuclar month selected date will display in the datagridview.

then selected date in datagridview is saved in the database.


for that i written a code

when i run click the save button error shows as follows;

Syntax error in insert into statement.

My query as follows;

sql = "insert into Tb_Faculty_Availability ([Faculty_Code],[Available_date])" + " values('" + cb_Faculty_Code.Text + "','" + Convert.ToDateTime(DGVCalendar.Rows[i].Cells[1].Value.ToString()) + "'";

在上面的查询中有什么错误。



请帮帮我。



问候，

Narasiman P.

what is the mistake, in my above query.

please help me.

Regards,
Narasiman P.

推荐答案

首先，摆脱所有字符串连接并将其替换为参数化的INERT查询。你做的那个错误很容易通过不做你正在做的事来解决。通过简化代码，您可以更轻松地进行调试和维护。



您还将删除自己暴露的大量SQL注入攻击问题由于您巧妙地编写代码的方式。



Google用于参数化SQL查询和SQL注入攻击以获取更多信息和示例。

First, get rid of all that string concatentation and replace it with a parameterized INERT query. That error you''re getting is easily resolved by not doing what you''re doing. By simplifying your code you''re making it easier to debug and maintain.

You''ll also remove the massive SQL Injection Attack problems you''ve exposed yourself to because of the way you nievely wrote your code.

Google for "Parameterized SQL Queries" and "SQL Injection Attack" for more information and examples.

正如Dave Kreskoviak所写，你需要知道如何避免注射攻击。请使用Google查找列出的主题。

接下来，请点击以下链接： SQLParameterCollection.AddWithValue（）方法 [ ^ ]

As Dave Kreskoviak wrote, you need to know how to avoid injection attack. Please use Google to find listed subjects.
Next, follow the link: SQLParameterCollection.AddWithValue() method[^]

如果查看您在代码中编写的查询，则在末尾有额外的逗号查询。请删除它，然后尝试。

If you look at query that you have written in your code, you have extra comma at the end of the query. Please remove it and then try.

sql = "insert into Tb_Faculty_Availability ([Faculty_Code],[Available_date])" + " values('" + cb_Faculty_Code.Text + "','" + Convert.ToDateTime(DGVCalendar.Rows[i].Cells[1].Value.ToString()) + "',";

请删除此逗号----->' ' ， ;来自sql string。

Please remove this comma -----> "'',"; from sql string.

这篇关于插入到statment中的语法错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！