我在插入查询时遇到了错误...帮助我 [英] I have Got an error with insert query...Help me

问题描述

错误:-语法错误

代码:-
dbcomm = New OleDbCommand("INSERT INTO contact(full_name，contact_no，e-mail，message，)VALUES(""+ nm +"，""+ cn +"，""+ em +"， ""+ msg +"'')，dbconn)

帮我pleseeeee

error:- Syntax error

Code:--
dbcomm=New OleDbCommand("INSERT INTO contact (full_name,contact_no,e-mail,message,) VALUES (''"+nm+"'',''"+cn+"'',''"+em+"'',''"+msg+"'')",dbconn)

help me pleseeeee

推荐答案

我不知道nm，cn等的含义.您可能已经分配了任何东西来破坏SQL语法，所以我什至不想猜测语法有什么问题.问这个问题"时您是否考虑过?

整个想法是错误的.

基本上，您不应编写任何将字符串与某个可变字符串连接在一起的查询.用它们的方式，任何类型的重复连接都不利于性能，因为字符串是不可变的.类System.Text.StringBuilder或方法string.Format都没有此问题.

但是对于查询，问题更为严重.如果要从UI中获取串联的子字符串，则会为恶意用户打开一个容易利用的漏洞.该技术称为 SQL注入.请参阅:
http://en.wikipedia.org/wiki/SQL_injection [您的名字未显示在名称中吗? [ ^ ].

—SA

I have no idea what''s in nm, cn, etc. You could have assigned anything to screw up your SQL syntax, so I don''t even want to guess what''s wrong with the syntax. Did you think about it while asking this "question"?

The whole idea is wrong.

Basically, you should not compose any queries concatenating the strings with some variable string. By they way, any kind of repeated concatenation is bad for performance, because strings are immutable. The class System.Text.StringBuilder or the method string.Format are free from this problem.

But for queries, the problem is more serious. If you are taking the concatenated substrings from UI, you open up an easy exploit for a malicious user. The technique is called SQL injection. Please see:
http://en.wikipedia.org/wiki/SQL_injection[^].

Please pay attention for importance of parametrized statements. This is what you should do.

For further detail, please see my past answer:
hi name is not displaying in name?[^].

—SA

这篇关于我在插入查询时遇到了错误...帮助我的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！