为什么我会变得不正确的语法接近“字母”?
我正在尝试将新车详细信息添加到系统中。我想添加到Carid的VARCHAR值中。在Carid的数据库类型中是Varchar。
这是我的代码:
private void btnAddCar_Click(object sender, EventArgs e){
if (txtCarId.Text == "" || txtModel.Text == "" || txtColor.Text == "" || txtFuelType.Text == "" || txtPrice.Text == "")
{
MessageBox.Show("Missing Information");
}
else
{
try
{
Con.Open();
string query = "insert into CAR(CarID,Model,Color,FuelType,Available,Price) values(" + txtCarId.Text + ",'" + txtModel.Text + "','" + txtColor.Text + "','"+txtFuelType.Text + "','"+cmbBoxAvailable.SelectedItem.ToString()+"',"+txtPrice.Text+")";
SqlCommand cmd = new SqlCommand(query, Con);
cmd.ExecuteNonQuery();
MessageBox.Show("Car Successfully Added");
Con.Close();
populate();
}
catch (Exception myEx)
{
MessageBox.Show(myEx.Message);
}
}
}
但是当我将值输入到Carid Textbox时, 发生例外:“无效列名”,不正确的语法靠近“字母” enter image Description
I'm trying to ADD new car details to the system. I want to add to the varchar values for the CarId. In the database type of the carId is varchar.
This is my code:
private void btnAddCar_Click(object sender, EventArgs e){
if (txtCarId.Text == "" || txtModel.Text == "" || txtColor.Text == "" || txtFuelType.Text == "" || txtPrice.Text == "")
{
MessageBox.Show("Missing Information");
}
else
{
try
{
Con.Open();
string query = "insert into CAR(CarID,Model,Color,FuelType,Available,Price) values(" + txtCarId.Text + ",'" + txtModel.Text + "','" + txtColor.Text + "','"+txtFuelType.Text + "','"+cmbBoxAvailable.SelectedItem.ToString()+"',"+txtPrice.Text+")";
SqlCommand cmd = new SqlCommand(query, Con);
cmd.ExecuteNonQuery();
MessageBox.Show("Car Successfully Added");
Con.Close();
populate();
}
catch (Exception myEx)
{
MessageBox.Show(myEx.Message);
}
}
}
But when I input values to the CarId textBox,
an exception occurs: "Invalid Column name" , Incorrect Syntax near"Letter"enter image description here
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我将尝试修复您的代码,并希望它能解决您的问题,或者至少使它更清楚地出了问题。这是新的代码:
因此,SQLConnection现在是本地的,并以使用模式包裹,因此它将自动关闭并自动处置。 SQLCommand也是如此。
查询使用参数,因此可以防止SQL注入,并且您不必考虑数据库类型。这不是真的,因为我认为所有数据库字段都是字符串,所以这极不可能,但是您尚未指定。不是字符串的字段,您必须在设置参数值之前转换为正确的类型。
在现实生活中,您会将所有数据库内容放在数据层中,而仅在此处处理用户界面,但是我将其保留给自己。
另外,您不应该捕获异常,但是可能发生的异常子类型。
I'm going to make an attempt at fixing your code and hope it solves your issue or at least makes it clearer what is going wrong. Here is the new code:
So, the SqlConnection is now local and wrapped in a using pattern, so it will be closed and disposed automatically. The same goes for the SqlCommand.
The query is using parameters, so that Sql Injection is prevented and you don't have to think about the database types. That's not quite true, since I assume all database fields are strings, that's highly unlikely, but you haven't specified otherwise. The fields that are not strings, you will have to convert to the right type before setting the value of the parameter.
In real life you would put all the database stuff in a data layer and only deal with the user interface here, but I left that for yourself to sort out.
Also you shouldn't catch Exception, but the Exception subtypes that are likely to occur.