为什么此 sql 查询会出现错误,而该错误之前在 C# ASP.NET 中运行良好?
我有 default.aspx 页面,其中放置了 CreateUserWizard1。
SqlConnection con = new SqlConnection("server=.;database=test;integrated security=true");
SqlCommand cmd = new SqlCommand();
并且,在 Continue_Click 事件中,我在后面放置了这样的代码
protected void ContinueButton_Click(object sender, EventArgs e)
{
string un = CreateUserWizard1.UserName.ToString();
try
{
con.Open();
cmd.CommandText = "create table " + un + " (id int IDENTITY(1,1) primary key,username varchar(50),fname varchar(50),mname varchar(50),lname varchar(50),mobile varchar(10),college varchar(5000),school varchar(5000),working varchar(5000),prevworking varchar(5000),skill varchar(MAX),interest varchar(MAX),achievment varchar(MAX),image varchar(MAX) default '~/image/default_male.jpg')";
cmd.Connection = con;
cmd.ExecuteNonQuery();
}
Catch (Exception a)
{
Response.write(a.Message);
}
}
,以前工作正常,但现在它给出错误并执行 catch 块,说明
Incorrect syntax near '('.
您能帮我找到问题并给我解决方案吗?
machine.XML 的一些其他详细信息是
<connectionStrings>
<add name="LocalSqlServer" connectionString="data source=.\SQLEXPRESS;Integrated Security=SSPI;AttachDBFilename=|DataDirectory|aspnetdb.mdf;User Instance=true" providerName="System.Data.SqlClient"/>
</connectionStrings>
<membership>
<providers>
<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="LocalSqlServer" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" passwordStrengthRegularExpression=""/>
</providers>
</membership>
I have default.aspx page in which I have placed CreateUserWizard1.
SqlConnection con = new SqlConnection("server=.;database=test;integrated security=true");
SqlCommand cmd = new SqlCommand();
and, On Continue_Click event I have placed a code behind like this
protected void ContinueButton_Click(object sender, EventArgs e)
{
string un = CreateUserWizard1.UserName.ToString();
try
{
con.Open();
cmd.CommandText = "create table " + un + " (id int IDENTITY(1,1) primary key,username varchar(50),fname varchar(50),mname varchar(50),lname varchar(50),mobile varchar(10),college varchar(5000),school varchar(5000),working varchar(5000),prevworking varchar(5000),skill varchar(MAX),interest varchar(MAX),achievment varchar(MAX),image varchar(MAX) default '~/image/default_male.jpg')";
cmd.Connection = con;
cmd.ExecuteNonQuery();
}
Catch (Exception a)
{
Response.write(a.Message);
}
}
Which was previously working fine but now it’s giving error and executing catch block stating
Incorrect syntax near '('.
Will you please help me to find the problem and give me solution?
Some Other details of machine.XML are
<connectionStrings>
<add name="LocalSqlServer" connectionString="data source=.\SQLEXPRESS;Integrated Security=SSPI;AttachDBFilename=|DataDirectory|aspnetdb.mdf;User Instance=true" providerName="System.Data.SqlClient"/>
</connectionStrings>
<membership>
<providers>
<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="LocalSqlServer" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="true" applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" passwordStrengthRegularExpression=""/>
</providers>
</membership>
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
如果您的变量
un来自不受信任的来源,那么使用它来构建命令字符串并不是一个好主意。我的第一个猜测可能是,该变量的值包含您的 sql 查询的非法字符?我认为您可以使用 SqlCommand 参数导入该值。基本上,您可以使用 sqlparameter 替换动态字符串构建,然后为命令定义该参数:
CommandString:
导入参数(您需要在调用
cmd.ExecuteNonQuery();之前执行此操作):我希望这有帮助,请告诉我们是否有任何改变:)
If your variable
unis from an untrusted source, it's not a good idea to use it for building a command string. My first guess might be, that the value of that variable contains illegal characters for your sql-query?I think you could import that value by using SqlCommand Parameters. Basically, you replace your dynamic string building by using an sqlparameter, which you then define for your command:
CommandString:
Importing Parameter (You need to do this before calling
cmd.ExecuteNonQuery();):I hope this helps, pls let us know if it changes anything :)