从 Access 运行时,UPDATE 查询工作正常,但在 C# 应用程序中引发 SQL 语法错误
我有一个非常简单的 Update 语句,它将更新邮件服务器设置和网络凭据信息...当我在 Access 中运行查询时,查询工作正常,但 C# 不断给出错误,指出我的 SQL 语法错误...我有一个数据访问层(dal 类)和更新实例方法粘贴在下面...但问题一定是其他的,因为我已经用这种方式更新了很多东西,但这次它不会这样做..任何线索将不胜感激。 提前谢谢。
更新 DAL 类中的实例方法..(这应该是一个数据访问层:)我只是一名管理毕业生:P
public int UpdateRow(string Query, bool isSP, params OleDbParameter[] args)
{
int affectedRows = -1;
using (con = new OleDbConnection(connStr))
{
using (cmd = con.CreateCommand())
{
cmd.CommandText = Query;
if (isSP)
{
cmd.CommandType = CommandType.StoredProcedure;
}
if (args != null)
{
foreach (OleDbParameter prm in args)
{
cmd.Parameters.Add(prm);
}
}
try
{
con.Open();
affectedRows = cmd.ExecuteNonQuery();
}
catch(OleDbException ex)
{
throw ex;
}
catch (Exception ex)
{
throw ex;
}
}
}
return affectedRows;
}
ASP.NEt 代码隐藏将执行更新=
protected void Update_Click(object sender, EventArgs e) {
DAL dal = new DAL();
string upt = string.Format("UPDATE [MailConfig] SET Server='{0}', Username='{1}', Password='{2}', AddressFrom='{3}', DisplayName='{4}'",server.Text,username.Text,password.Text,replyto.Text,displayname.Text);
dal.UpdateRow(upt,false,null);
LoadData();
}
和平!
I have a very simple Update statement that will update mail server settings and network credentials info... Query works fine when I run it in Access but C# keeps giving me the error stating that my SQL Syntax is wrong ... I have a dataaccess layer (dal class) and Update instance method pasted belows ... But the problem must be sth else cuz I have updated lots of stuff this way but this time it just won't do .. any clues will be greatly appreciated. Thx in advance.
Update instance method in DAL class .. (this is supposed to be a Data Access Layer :) I'm just a management graduate :P
public int UpdateRow(string Query, bool isSP, params OleDbParameter[] args)
{
int affectedRows = -1;
using (con = new OleDbConnection(connStr))
{
using (cmd = con.CreateCommand())
{
cmd.CommandText = Query;
if (isSP)
{
cmd.CommandType = CommandType.StoredProcedure;
}
if (args != null)
{
foreach (OleDbParameter prm in args)
{
cmd.Parameters.Add(prm);
}
}
try
{
con.Open();
affectedRows = cmd.ExecuteNonQuery();
}
catch(OleDbException ex)
{
throw ex;
}
catch (Exception ex)
{
throw ex;
}
}
}
return affectedRows;
}
And the ASP.NEt codebehind that will do the updating =
protected void Update_Click(object sender, EventArgs e) {
DAL dal = new DAL();
string upt = string.Format("UPDATE [MailConfig] SET Server='{0}', Username='{1}', Password='{2}', AddressFrom='{3}', DisplayName='{4}'",server.Text,username.Text,password.Text,replyto.Text,displayname.Text);
dal.UpdateRow(upt,false,null);
LoadData();
}
peace!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
尝试将字段名称括在 [ ] 中。 我过去遇到过某些字段名称的问题,例如用户名、密码和计数等,被识别为保留字并搞砸了 sql,给我一个错误。
Trying wrapping your field names in [ ]. I have had problems in the past with certain field names such as a username and password and count, etc, being recognized as reserved words and screwing up the sql giving me an error.
首先 - 不要在这里使用
string.Format
。 使用参数,将参数添加到命令中。 现在,您很容易受到 SQL 注入攻击。 想想“Bobby Tables”。关于“声明我的 SQL 语法错误” - 您能引用确切的错误吗?
First off - don't use
string.Format
here. Use parameters, and add parameters to the command. Right now, you are wide open to SQL injection attacks. Think "Bobby Tables".Re "stating that my SQL Syntax is wrong" - can you please quote the exact error?
首先,您的 Update 中没有 where 子句,因此它将更新所有行,并违反导致错误的键约束(如果有的话)。
其次,运行此类代码使您非常容易受到 SQL 注入攻击,如果有人输入嵌入了 sql 命令的用户名,您可能会丢失所有数据。
您应该使用参数化查询。 您可以使用 @paramname 而不是使用 {4} 在 sql 命令中指定参数,然后使用命令对象执行 accessCommand.parameters.AddWithValue("@paramname", value)
First of all, you have no where clause in your Update, so it will update all rows, and violate key constraints causing an error, if you have any.
Second, running that kind of code makes you very vunerable to SQL Injection, if someone enters a username that has a sql command embedded in it, you could lose all your data.
You should use parameterized queries. You specify your parameters in the sql command with @paramname instead of using {4}, and then with the command object do accessCommand.parameters.AddWithValue("@paramname", value)
您正在使用 StoredProcedure 的 CommandType,但您的查询不是存储过程名称,而是不带 where 子句的 sql 查询。
因此,您需要删除命令类型行,或者将其更改为正确的命令类型CommandType.Text,并添加一个Where子句来指定哪些行将受到影响。
我认为 Access 甚至没有存储过程,因此没有必要使用该命令类型。
使用存储过程的命令示例如下:
该类型的命令字符串只是存储过程的名称。
You are using a CommandType of StoredProcedure, but your query is not a stored procedure name, its a sql query without a where clause.
So you need to remove the command type line, or change it to a correct command type CommandType.Text, and add a Where clause specifying what rows are to be affected.
I don't think Access even has Stored Procedures, so there's no using to use that command type with it.
An example of a command that does use stored procedures would be something like:
The command string for that type is just the name of the stored proc.