我收到此错误如何解决此问题 [英] i got this error how to resolve this
本文介绍了我收到此错误如何解决此问题的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
亲爱的ALl,
Dear ALl,
Unclosed quotation mark after the character string '')''. Incorrect syntax near '')''.
SqlCommand cmd = new SqlCommand("INSERT INTO lta_declaration VALUES ('" + txtLTA_Destination_To.Text + "','"
+ ddl_Transport.Text + "','"
+ txtDT_From.Text + "','"
+ txtDT_To.Text + "','"
+ txtTravel_Sno_1.Text + "','"
+ txtTravel_Name_1.Text + "','"
+ ddl_Travel_Relationship_1.Text + "','"
+ txtTravel_Age_1.Text + "','"
+ txtTravel_TicketNo_1.Text + "','"
+ txtTravel_Total_Bill_Amount.Text + "',"
+ txtTravel_Amount_Restricted_1.Text +"')", con);
推荐答案
您的行txtTravel_Total_Bill_Amount.Text +"'',"需要第二个'',
所以应该是txtTravel_Total_Bill_Amount.Text +"'',''"
我是否建议跳过sql的串联字符串?因为非常不安全.而是尝试使用参数:)
Your linetxtTravel_Total_Bill_Amount.Text +"'',"need a second'',
so it would betxtTravel_Total_Bill_Amount.Text +"'',''"
Might I recommend skipping concatenating string for sql? Because is VERY unsecure. Instead try to use parameters :)
少量附加说明.
切勿将值连接到SQL语句.使您免受SQL注入,类型转换错误等影响的正确方法是使用 ^ ].
另外,虽然该语句是正确的,但如果您以正确的顺序为所有列指定值,则建议始终定义目标列.这样可以防止在添加更多列,列的顺序不同等情况下出错.因此,您的语句应类似于:
Few additional notes.
Never concatenate values to a SQL statement. The proper way to keep you secure from SQL injections, type conversion errors and so on is to use SqlParameter[^].
Another thing, while the statement is correct, if you specify values for all the columns in correct order, it''s advisable to always define the target columns. This prevents from errors if more columns are added, the order of the columns is different etc. So your statement should look something like:
INSERT INTO TableName
( Col1, Col2, Col3, ... )
VALUES
( @Value1, @Value2, @Value3 ...)
您的代码的一个问题是字符串连接.重复连接是一个不好的操作,因为字符串是不可变的,所以这是一个性能问题.我应该解释为什么吗?类System.Text.StringBuilder和方法String.Format都没有此问题.
但是更大的问题是连接的目的.从安全性的角度来看,这确实是一个致命错误.问题是:您使用从用户输入中获取的来自用户界面的字符串来编写命令.但是用户可以输入任何内容,包括一些SQL片段(不,将它们过滤掉并不严重).这为著名的 SQL注入漏洞利用打开了大门. 从不这样做.请阅读此漏洞利用信息,并特别注意参数化语句的重要性:
http://en.wikipedia.org/wiki/SQL_injection [ Mika Wendelius 的方式使用SQL命令参数.请阅读有关在ADO.NET中使用命令参数的信息:
http://msdn.microsoft.com/en-us/library/yy6y35y8.aspx [ ^ ].
—SA
One problem of your code is string concatenation. Repeated concatenation is a bad operation, because strings are immutable, so it''s a performance problem. Should I explain why? The classSystem.Text.StringBuilderand the methodString.Formatare free from this problem.
But much bigger problem is the purpose of your concatenation. This is really a fatal mistake, from the security standpoint. The problem is: you compose a command using the strings taken from the UI, from the user input. But the user can input anything, including some SQL fragments (no, filtering them out is not serious). This opens wide doors to the well-known exploit called SQL injection. Never do it. Please read about this exploit and pay special attention for the importance of parameterized statements:
http://en.wikipedia.org/wiki/SQL_injection[^].
You need to use SQL command parameters the way Mika Wendelius demonstrated in his Solution 2. Please read about using command parameters in ADO.NET:
http://msdn.microsoft.com/en-us/library/yy6y35y8.aspx[^].
—SA
这篇关于我收到此错误如何解决此问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
