我一直在为我的工作场所建立一个小型库存系统,偶然发现了一个我似乎无法解决的错误
private void Update(string num,string name, string quant, string location, string category, string numquery)
{
// "UPDATE Inventory SET Inventorynumber='"+ num +"',Inventory_Name='"+name+"', Quantity ='"+ quant+"',Location ='"+ location+"' Category ='"+ category+"' WHERE Inventorynumber ='"+ numquery +"';";
string query = "UPDATE Inventory SET Inventorynumber='" + Convert.ToInt16(num) + "',Inventory_Name='" + name + "', Quantity ='" + quant + "',Location ='" + location + "' Category ='" + category + "' WHERE Inventorynumber ='" + Convert.ToInt16(numquery) + "'";
if (this.OpenConnection() == true)
{
MySqlCommand cmd = new MySqlCommand();
cmd.CommandText = query;
cmd.Connection = serverconnection;
cmd.ExecuteNonQuery();
this.CloseConnection();
Bind();
}
}
我不知道在这里要改变什么。 任何帮助将不胜感激。
答案 0 :(得分:7)
问题:您在查询中comma参数后遗漏了location。
解决方案:您需要使用parameters分隔comma。
建议:使用parameterised queries来避免Sql Injection Attacks
试试这个:
private void Update(string num,string name, string quant, string location, string category, string numquery)
{
// "UPDATE Inventory SET Inventorynumber='"+ num +"',Inventory_Name='"+name+"', Quantity ='"+ quant+"',Location ='"+ location+"' Category ='"+ category+"' WHERE Inventorynumber ='"+ numquery +"';";
string query = "UPDATE Inventory SET Inventorynumber=@Inventorynumber,Inventory_Name=@Inventory_Name, Quantity =@Quantity ,Location =@Location,Category =@Category WHERE Inventorynumber =@Inventorynumber";
if (this.OpenConnection() == true)
{
MySqlCommand cmd = new MySqlCommand();
cmd.CommandText = query;
cmd.Parameters.AddWithValue("@Inventorynumber",Convert.ToInt16(num));
cmd.Parameters.AddWithValue("@Inventory_Name",name);
cmd.Parameters.AddWithValue("@Quantity",quant);
cmd.Parameters.AddWithValue("@Location",location);
cmd.Parameters.AddWithValue("@Category",category);
cmd.Parameters.AddWithValue("@Inventorynumber",Convert.ToInt16(numquery));
cmd.Connection = serverconnection;
cmd.ExecuteNonQuery();
this.CloseConnection();
Bind();
}
}
答案 1 :(得分:2)
您在位置和类别之间缺少逗号。你已经听过这一百万次了,但是使用准备好的语句真的好多了,所以你不必处理这类事情,你的代码更具可读性。
答案 2 :(得分:1)
你错过了逗号
Location ='" + location + "', Category ='" + category + "'
// see the `,` between Location and Category
答案 3 :(得分:1)
您在查询中错过了逗号(,):
string query = "UPDATE Inventory SET Inventorynumber='" + Convert.ToInt16(num) + "',Inventory_Name='" + name + "', Quantity ='" + quant + "',Location ='" + location + "' Category ='" + category + "' WHERE Inventorynumber ='" + Convert.ToInt16(numquery) + "'";
将其设为:
string query = "UPDATE Inventory SET Inventorynumber='" + Convert.ToInt16(num) + "',Inventory_Name='" + name + "', Quantity ='" + quant + "',Location ='" + location + "', Category ='" + category + "' WHERE Inventorynumber ='" + Convert.ToInt16(numquery) + "'";
答案 4 :(得分:1)
是错误是在缺少的逗号中,但这是所有混乱的字符串连接的结果,它总是以微妙的语法错误结束。
为什么不使用参数化查询?编写它会简单得多,你可以避免解析这样的错误,并且(更重要的是)避免Sql注入
private void Update(string num,string name, string quant, string location, string category, string numquery)
{
string query = "UPDATE Inventory SET Inventorynumber=@num, Inventory_Name=@name, " +
"Quantity =@qty,Location =@loc, Category =@cat " +
"WHERE Inventorynumber =@numquery";
if (this.OpenConnection() == true)
{
MySqlCommand cmd = new MySqlCommand(query, serverconnection);
cmd.Parameters.AddWithValue("@num", Convert.ToInt16(num));
cmd.Parameters.AddWithValue("@name", name);
cmd.Parameters.AddWithValue("@qty", quant);
cmd.Parameters.AddWithValue("@loc", location);
cmd.Parameters.AddWithValue("@cat", category);
cmd.Parameters.AddWithValue("@numquery", Convert.ToInt16(numquery));
cmd.ExecuteNonQuery();
this.CloseConnection();
Bind();
}
}
作为旁注,我对某些参数类型有些怀疑。您确定数量实际上是一个字符串,因为原始值周围存在引号吗?
此外,numquery和num变量的类型为字符串,您尝试将其转换为短整数,然后将它们放在引号内(这意味着在数据库中字段的类型为text)。这毫无意义。如果数据库需要数字,则不使用引号,如果数据库需要字符串,则不要尝试转换。使用参数化查询的另一个原因迫使您反思这些问题。
答案 5 :(得分:0)
尝试删除整数周围的'单引号?