C#SQL语句不起作用
问题描述:
当我执行命令将数据表的值插入SQL Server数据库时,出现错误。C#SQL语句不起作用
','附近的语法不正确。
我的代码:
for (int i = 1; i < dt.Rows.Count; i++) // i = 1 instead of 0 because of the header row
{
wipSql = "INSERT INTO tblWIP ([FSR Number], [Customer Name], REGN_NM, SUBREGN_NM, [EMP/SUPPLIER Name], [INVTY DATE], " +
"[COST CATEGORY], [PL&M AMOUNT], [LABOR AMOUNT], [T&L PERDIEM], [MEMO COST], [EDI SEQ#], [INVOICE NUMBER], [Grand Total], Age, Business) " +
"VALUES ('"
+ dt.Rows[i]["FSR Number"].ToString().Trim() + "', '"
+ dt.Rows[i]["Customer Name"].ToString().Trim() + "', '"
+ dt.Rows[i]["REGN_NM"].ToString().Trim() + "', '"
+ dt.Rows[i]["SUBREGN_NM"].ToString().Trim() + "', '"
+ dt.Rows[i]["EMP/SUPPlier Name"].ToString().Trim() + "', '"
+ dt.Rows[i]["INVTY DATE"].ToString().Trim() + "', '"
+ dt.Rows[i]["COST CATEGORY"].ToString().Trim() + "', "
+ dt.Rows[i]["PL&M AMOUNT"].ToString().Trim() + ", "
+ dt.Rows[i]["LABOR AMOUNT"].ToString().Trim() + ", "
+ dt.Rows[i]["T&L PERDIEM"].ToString().Trim() + ", "
+ dt.Rows[i]["MEMO COST"].ToString().Trim() + ", '"
+ dt.Rows[i]["EDI SEQ#"].ToString().Trim() + "', '"
+ dt.Rows[i]["INVOICE NUMBER"].ToString().Trim() + "', "
+ dt.Rows[i]["Grand Total"].ToString().Trim() + ", "
+ dt.Rows[i]["Age"].ToString().Trim() + ", '"
+ dt.Rows[i]["Business"].ToString().Trim() + "')";
SqlCommand cmdWIP = new SqlCommand(wipSql, localConnection);
cmdWIP.ExecuteNonQuery();
}
答
试试这个,
string wipSql = string.Empty;
for (int i = 1; i < dt.Rows.Count; i++) // i = 1 instead of 0 because of the header row
{
wipSql = "INSERT INTO tblWIP ([FSR Number], [Customer Name], REGN_NM, SUBREGN_NM, [EMP/SUPPLIER Name], [INVTY DATE], [COST CATEGORY], [PL&M AMOUNT], [LABOR AMOUNT], [T&L PERDIEM], [MEMO COST], [EDI SEQ#], [INVOICE NUMBER], [Grand Total], Age, Business) VALUES(@FSRNumber, @CustomerName, @REGN_NM, @SUBREGN_NM, @SupplierName, @InventoryDate, @CostCategory, @PLMAmount, @LaborAmount, @TLPerdiem, @MemoCost, @Ediseq, @InvoiceNumber, @GrandTotal, @Age, @Business)";
SqlCommand cmdWIP = new SqlCommand(wipSql, localConnection);
cmdWIP.Parameters.AddWithValue("@FSRNumber", dt.Rows[i]["FSR Number"].ToString().Trim());
cmdWIP.Parameters.AddWithValue("@CustomerName", dt.Rows[i]["Customer Name"].ToString().Trim());
cmdWIP.Parameters.AddWithValue("@REGN_NM", dt.Rows[i]["REGN_NM"].ToString().Trim());
cmdWIP.Parameters.AddWithValue("@SUBREGN_NM", dt.Rows[i]["SUBREGN_NM"].ToString().Trim());
cmdWIP.Parameters.AddWithValue("@SupplierName", dt.Rows[i]["EMP/SUPPlier Name"].ToString().Trim());
cmdWIP.Parameters.AddWithValue("@InventoryDate", dt.Rows[i]["INVTY DATE"].ToString().Trim());
cmdWIP.Parameters.AddWithValue("@CostCategory", dt.Rows[i]["COST CATEGORY"].ToString().Trim());
cmdWIP.Parameters.AddWithValue("@PLMAmount", dt.Rows[i]["PL&M AMOUNT"].ToString().Trim());
cmdWIP.Parameters.AddWithValue("@LaborAmount", dt.Rows[i]["LABOR AMOUNT"].ToString().Trim());
cmdWIP.Parameters.AddWithValue("@TLPerdiem", dt.Rows[i]["T&L PERDIEM"].ToString().Trim());
cmdWIP.Parameters.AddWithValue("@MemoCost", dt.Rows[i]["MEMO COST"].ToString().Trim());
cmdWIP.Parameters.AddWithValue("@Ediseq", dt.Rows[i]["EDI SEQ#"].ToString().Trim());
cmdWIP.Parameters.AddWithValue("@InvoiceNumber", dt.Rows[i]["INVOICE NUMBER"].ToString().Trim());
cmdWIP.Parameters.AddWithValue("@GrandTotal", dt.Rows[i]["Grand Total"].ToString().Trim());
cmdWIP.Parameters.AddWithValue("@Age", dt.Rows[i]["Age"].ToString().Trim());
cmdWIP.Parameters.AddWithValue("@Business", dt.Rows[i]["Business"].ToString().Trim());
cmdWIP.ExecuteNonQuery();
}
+0
This worked !!!非常感谢! – swridings
答
开始使用的查询参数和问题,这样就可以避免,你会从SQL注入得到保护。也开始使用@
这给你在多行上写字符串的可能性。
wipSql = @"INSERT INTO
tblWIP ([FSR Number], [Customer Name], REGN_NM, SUBREGN_NM, [EMP/SUPPLIER Name], [INVTY DATE], [COST CATEGORY], [PL&M AMOUNT], [LABOR AMOUNT], [T&L PERDIEM], [MEMO COST], [EDI SEQ#], [INVOICE NUMBER], [Grand Total], Age, Business)
VALUES
(@Number, @Name, @Regn_NM, .... and so on)";
//after that here
SqlCommand cmdWIP = new SqlCommand(wipSql, localConnection);
cmdWIP.Parameters.AddWithValue(@Number, dt.Rows[i]["FSR Number"].ToString().Trim());
cmdWIP.Parameters.AddWithValue(@Name, dt.Rows[i]["Customer Name"].ToString().Trim());
cmdWIP.Parameters.AddWithValue(@Regn_NM, dt.Rows[i]["REGN_NM"].ToString().Trim());
//and so on for other parameters
+0
推荐阅读:[SQL注入](https://www.owasp.org/index .php/SQL_Injection#Example_2) –
你尝试打印'wipSql',看看结果输出查询?推荐的方法是使用sql参数,而不是做字符串追加来创建一个sql语句 – ughai
基于你的错误,我觉得你缺少一些引号。 –
对于ughai使用参数的建议+1。如果客户的名称包含引号(例如“O'Connor”)以及SQL注入攻击,那么您将自己置之不理。请参阅https://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlcommand.prepare(v=vs.110).aspx – racraman