UPDATE语句中的语法错误 [英] Syntax error in UPDATE Statment

问题描述

下面给出了我的更新解决方案，但更新语句中给出了语法错误.
请给我建议.

表名是通知，其字段未声明为文本，ntext未声明为备忘录

My Solution for update is given below but Syntax error is given in Update Statement.
Please suggest me.

Table name is notification and its field is not declared as text and ntext declared as memo

void update(Object sender, EventArgs e)
{
con.Open();
string va=d1.SelectedItem.Value;
//ta1.Value=va;
 
com=con.CreateCommand();
com.CommandText="UPDATE notification SET ntext = '" + ta1.Value.Replace("\'","\'\'") + "' where nid='" + va + "'";
//com.CommandText="UPDATE notification SET notice = '" + ta1.Value + "' where id='" + va + "'";
try{
com.ExecuteNonQuery();
System.Web.UI.WebControls.Label lbl1=new System.Web.UI.WebControls.Label();
lbl1.ForeColor=System.Drawing.Color.Yellow;
lbl1.BackColor=System.Drawing.Color.Blue;
lbl1.Text="Your record SUBMITED sucessfully";
ph1.Controls.Add(lbl1);
}
catch(Exception ex)
{
Response.Write(ex.Message);
}
con.Close();}

推荐答案

这里有两件事:
您需要做的第一件事是在try语句上放置一个断点，并检查com.CommandText以检查发送到SQL Server的内容是什么.不知道ta1和va的内容，您只是在这个阶段猜测.

另一个是您根本不应该执行此操作-使用Parametrized查询，因为如果您不这样做，则可能会遭受意外或蓄意的SQL Inject攻击，这可能会损坏或破坏数据库. >

There are a couple of things here:
The first thing you need to do is put a breakpoint on the try statement, and examine your com.CommandText to check exactly what is being sent to the SQL server. Without knowing the content of ta1 and va you are just guessing at this stage.

The other is that you really shouldn''t do that at all - use Parametrized queries instead because if you don''t you are leaving yourself open to accidental or deliberate SQL Inject attacks, which could damage or destroy you database.

com.CommandText="UPDATE notification SET ntext = @NT where nid=@NI";
com.Parameters.AddWithValue("@NT", ta1.Value.Replace("\'","\'\'"));
com.Parameters.AddWithValue("@NI", va);

您可能会发现您原来的问题同时消失了...

You may well find that you original problem disappears at the same time...

这篇关于UPDATE语句中的语法错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！