如何处理 Access INSERT 语句和 .NET DataGridView 控件中的语法错误？

发布于 2024-10-03 05:15:56 字数 2330 浏览 6 评论 0原文

我正在使用 Access (.accdb) 和一个用 C# 编写的 Windows 窗体应用程序。
当我尝试将数据插入数据库表时出现此错误。

System.Data.OleDb.OleDbException：INSERT INTO 语句中存在语法错误。 Adaptador.InsertCommand.ExecuteNonQuery();

我尝试过直接路由和更新方法，但出现了相同的错误！

我的代码：

private void btnCronograma_Click(object sender, EventArgs e)
{
    OleDbConnection conn = new OleDbConnection(@"Provider=Microsoft.ACE.OLEDB.12.0;Data Source=mydatabase.accdb");
    string sql;
    int idProyecto, idMes, meta, real;

    OleDbDataAdapter adaptador = new OleDbDataAdapter();

    //for (int i = 0; i < this.dataGridView8.Rows.Count - 1; i++)
    //{
    foreach (DataGridViewRow row in dataGridView8.Rows)
    {
        DataGridViewComboBoxCell combo3 = row.Cells["idProyecto"] as DataGridViewComboBoxCell;
        DataGridViewComboBoxCell combo4 = row.Cells["idMes"] as DataGridViewComboBoxCell;

        MessageBox.Show(combo3.Value.ToString());
        MessageBox.Show(combo4.Value.ToString());

        idProyecto = int.Parse(combo3.Value.ToString());
        idMes = int.Parse(combo4.Value.ToString());

        meta = int.Parse(dataGridView8.Rows[0].Cells[3].Value.ToString());
        real = int.Parse(dataGridView8.Rows[0].Cells[4].Value.ToString());
        MessageBox.Show(meta.ToString());
        MessageBox.Show(real.ToString());

        //for (int i = 0; i < this.dataGridView8.Rows.Count - 1; i++)
        //{
        sql = "INSERT INTO IndicadorProyecto (idProyecto, idMes, meta, real) VALUES('" + idProyecto + "' , '" +
                idMes + "' , '" + meta + "' , '" + real + "') ";

        //sql = "INSERT INTO IndicadorProyecto (idMes, meta, real) VALUES('" + idMes + "' , '" + meta + "' , '" + real + "') ";

        if (combo3 == null)
        {
            MessageBox.Show("No se pudo convertir");
        }
        else if (combo4 == null)
        {
            MessageBox.Show("No se pudo convertir");
        }
        else
        {

        }

        try
        {
            conn.Open();
            adaptador.InsertCommand = new OleDbCommand(sql, conn);
            adaptador.InsertCommand.ExecuteNonQuery();
        }
        catch (Exception ex)
        {
            MessageBox.Show(ex.ToString());
        }
        finally
        {
            conn.Close();
        }
        //}
    }
}

原文

I'm working with Access (.accdb), and a Windows Forms application, written in C#.
I get this error when I'm trying to insert data into a database table.

System.Data.OleDb.OleDbException:Sintax error in INSERT INTO statement.
adaptador.InsertCommand.ExecuteNonQuery();

I have tried to go through the direct route and update method but coming up with the same error!

My code:

private void btnCronograma_Click(object sender, EventArgs e)
{
    OleDbConnection conn = new OleDbConnection(@"Provider=Microsoft.ACE.OLEDB.12.0;Data Source=mydatabase.accdb");
    string sql;
    int idProyecto, idMes, meta, real;

    OleDbDataAdapter adaptador = new OleDbDataAdapter();

    //for (int i = 0; i < this.dataGridView8.Rows.Count - 1; i++)
    //{
    foreach (DataGridViewRow row in dataGridView8.Rows)
    {
        DataGridViewComboBoxCell combo3 = row.Cells["idProyecto"] as DataGridViewComboBoxCell;
        DataGridViewComboBoxCell combo4 = row.Cells["idMes"] as DataGridViewComboBoxCell;

        MessageBox.Show(combo3.Value.ToString());
        MessageBox.Show(combo4.Value.ToString());

        idProyecto = int.Parse(combo3.Value.ToString());
        idMes = int.Parse(combo4.Value.ToString());

        meta = int.Parse(dataGridView8.Rows[0].Cells[3].Value.ToString());
        real = int.Parse(dataGridView8.Rows[0].Cells[4].Value.ToString());
        MessageBox.Show(meta.ToString());
        MessageBox.Show(real.ToString());

        //for (int i = 0; i < this.dataGridView8.Rows.Count - 1; i++)
        //{
        sql = "INSERT INTO IndicadorProyecto (idProyecto, idMes, meta, real) VALUES('" + idProyecto + "' , '" +
                idMes + "' , '" + meta + "' , '" + real + "') ";

        //sql = "INSERT INTO IndicadorProyecto (idMes, meta, real) VALUES('" + idMes + "' , '" + meta + "' , '" + real + "') ";

        if (combo3 == null)
        {
            MessageBox.Show("No se pudo convertir");
        }
        else if (combo4 == null)
        {
            MessageBox.Show("No se pudo convertir");
        }
        else
        {

        }

        try
        {
            conn.Open();
            adaptador.InsertCommand = new OleDbCommand(sql, conn);
            adaptador.InsertCommand.ExecuteNonQuery();
        }
        catch (Exception ex)
        {
            MessageBox.Show(ex.ToString());
        }
        finally
        {
            conn.Close();
        }
        //}
    }
}

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

你的往事 2024-10-10 05:15:56

您不应将字符串连接到 SQL 语句中。
这样做会破坏代码并创建 SQL 注入漏洞。

相反，您应该使用参数。

例如：

using (var conn = new OleDbConnection(@"Provider=Microsoft.ACE.OLEDB.12.0;Data Source=mydatabase.accdb"))
using (var command = new OleDbCommand(@"INSERT INTO IndicadorProyecto (idProyecto, idMes, meta, real) VALUES(?, ?, ?, ?") {
    command.Parameters.AddWithValue("a", idProyecto);
    command.Parameters.AddWithValue("b", idMes);
    command.Parameters.AddWithValue("c", meta);
    command.Parameters.AddWithValue("d", real);

    conn.Open();
    command.ExecuteNonQuery();
}

You should not concatenate strings into SQL statements.
By doing so, you break your code and create a SQL injection vulnerability.

Instead, you should use parameters.

For example:

using (var conn = new OleDbConnection(@"Provider=Microsoft.ACE.OLEDB.12.0;Data Source=mydatabase.accdb"))
using (var command = new OleDbCommand(@"INSERT INTO IndicadorProyecto (idProyecto, idMes, meta, real) VALUES(?, ?, ?, ?") {
    command.Parameters.AddWithValue("a", idProyecto);
    command.Parameters.AddWithValue("b", idMes);
    command.Parameters.AddWithValue("c", meta);
    command.Parameters.AddWithValue("d", real);

    conn.Open();
    command.ExecuteNonQuery();
}

回复收藏 0 原文

~没有更多了~