SQL查询错误:语法错误“#”附近 [英] SQL query error :Incorrect Syntax Near "#"?

查看:139
本文介绍了SQL查询错误:语法错误“#”附近的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

当我尝试执行此SQL查询时:

When I try to execute this SQL query:

savInto.CommandText = "update onCommands set warnDate =#" & movDate.Value.ToString("MM/dd/yyyy") 
& "#,updateDate =#" & Date.Now.ToShortDateString 
& "#,transportCompany ='" & Trim(Company.Text) 
& "' where ID =" & moveID

我收到此错误:

Incorrect syntax near '#'


推荐答案

主要的问题是您正在尝试将参数作为SQL本身的一部分提供。虽然的方法(使用撇号而不是),但通常是一个坏主意:

Well the main problem is that you're trying to provide the parameter as part of the SQL itself. While there are ways of doing that (use an apostrophe rather than #), it's generally a bad idea:


  • 当与任意字符串一起使用时,它会邀请 SQL注入攻击

  • 读取代码更困难

  • 它引入了不必要的字符串转换

而应该使用参数化的SQL并指定参数的值。如下所示:

Instead, you should use parameterized SQL and specify the value for the parameter. Something like:

savInto.CommandText = "update onCommands set warnDate = @warnDate" & 
    ", updateDate = @updateDate, transportCompany = @transportCompany" &
    " where ID=@moveID"
savInto.Parameters.Add("@warnDate", SqlDbType.DateTime).Value = movDate
savInto.Parameters.Add("@updateDate", SqlDbType.DateTime).Value = Date.Now
savInto.Parameters.Add("@transportCompany", SqlDbType.NVarChar).Value = Trim(Company.Text)
savInto.Parameters.Add("@moveID", SqlDbType.NVarChar).Value = moveID

这篇关于SQL查询错误:语法错误“#”附近的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆