Question

我正在尝试插入一条记录来访问数据库，但在insert into语句中不断出现语法错误。

请帮帮我。

try
{
    cnn.Open();
    OleDbCommand savea = new OleDbCommand();
    savea.Connection = cnn;
    savea.CommandText = "INSERT INTO FirstYear(LastName, FirstName,       MiddleName, ContactNumber, Age, BirthDateYear, HomeAddress, Gender, Religion,     Citizenship, GuardianName, GuardianContactNum, RelationtoStudent, Work,     GuardianHomeAddress) values ('" + lastname.Text + "' , '" + firstname.Text + "'     , '" + middlename.Text + "' , " + contactnum.Text + " , " + age.Text + " , '" +     dateTimePicker1.Text + "' , '" + homeadd.Text + "' , '" + gender.Text + "' , '"     + religion.Text + "', '" + citizenship.Text + "' , '" + fullname.Text + "' , " +     gcontactnum.Text + " , '" + rrelation.Text + "' , '" + work.Text + "' , '" +     ghomeadd.Text + "')";
    int temp = savea.ExecuteNonQuery();

    if (temp > 0)
    {
        MessageBox.Show("Successfully Submitted");
    }
}

catch (Exception ex)
{
    MessageBox.Show("Error" + ex);
}

cnn.Close();

Answer 1

使用它，我认为问题是字符串格式化。另外用户参数传递值，这种方式通过连接字符串你很容易被黑客攻击（Sql Injection）

savea.CommandText = "INSERT INTO FirstYear(LastName, FirstName, MiddleName, ContactNumber, Age, BirthDateYear, HomeAddress, Gender, Religion,     Citizenship, GuardianName, GuardianContactNum, RelationtoStudent, Work, GuardianHomeAddress) values ('" + lastname.Text + "' , '" + firstname.Text + "'     , '" + middlename.Text + "' , '" + contactnum.Text + "' , '" + age.Text + "' , '" +     dateTimePicker1.Text + "' , '" + homeadd.Text + "' , '" + gender.Text + "' , '"     + religion.Text + "', '" + citizenship.Text + "' , '" + fullname.Text + "' , '" +     gcontactnum.Text + "' , '" + rrelation.Text + "' , '" + work.Text + "' , '" +     ghomeadd.Text + "')";

但我建议你遵循以下编码风格，

string sqlQuery= "INSERT INTO FirstYear(LastName, FirstName, MiddleName, ContactNumber, Age, BirthDateYear, HomeAddress, Gender, Religion,     Citizenship, GuardianName, GuardianContactNum, RelationtoStudent, Work, GuardianHomeAddress) values (@Lastname, @Firstname, @MiddleName, @ContactNumber, @Age, @BirthDateYear, @HomeAddress, @Gender, @Religion, @Citizenship, @GuardianName, @GuardianContactNum, @RelationtoStudent, @Work, @GuardianHomeAddress  )";

using (var cmd = new OleDbCommand(sqlQuery, connectionString))
{
  cmd.Parameters.Add("@Lastname", OleDbType.VarChar).Value = lastname.Text;
  cmd.Parameters.Add("@Firstname", OleDbType.VarChar).Value = firstname.Text;
 // ... so on
 cmd.ExecuteNonQuery();
}

Answer 2

可能的错误（如果您提供错误文本，我可以更具体地说明）

参数数量无效。避免使用string.Format

savea.CommandText = string.Format（＆＃34;插入FirstYear（{0}，{1}，...）值（＆＃39; {10}＆＃39;，＆＃39; { 11}＆＃39; ...）＆＃34;，＆＃34; LastName＆＃34;，＆＃34; FirstName＆＃34;，...，lastname.text，firstname.text，...）< / p>
连接字符串无效。请参阅connectionstrings.com
逃避你的字符串

firstname.text.Replace（＆＃34;＆＃39;＆＃34;，＆＃34;＆＃39;＆＃39;＆＃34;）

Answer 3

缺少一些'字符可能是原因。无论如何，我会使用参数而不是字符串concartenation来避免注入攻击

savea.CommandText = "INSERT INTO FirstYear(LastName, FirstName,MiddleName ...)  values (@LastName, @FirstName,MiddleName ...)";
savea.Parameters.Add("@LastName", OleDbType.VarChar).Value = lastname.Text ;
savea.Parameters.Add("@FirstName", OleDbType.VarChar).Value = firstname.Text;
savea.Parameters.Add("@MiddleName", OleDbType.VarChar).Value = middlename.Text;
...

Answer 4

你有一些''不匹配。目前你的代码也容易受到Sql Injection的攻击，总是使用参数。还可以使用using块来确保对象已关闭并正确放置

string myQuery = "INSERT INTO FirstYear(LastName, FirstName, ...) values (@Lastname, @Firstname, ... )";

using (var cmd = new OleDbCommand(myQuery, connectionString))
{
  cmd.Parameters.Add("@Lastname", OleDbType.VarChar).Value = lastname.Text;
  cmd.Parameters.Add("@Firstname", OleDbType.VarChar).Value = firstname.Text;
  ...
}

Answer 5

如果您想使用此语法，请更正下面突出显示的错误。

插入错误c＃，访问

5 个答案: