与 SQL 的 C# 连接
C# connection with SQL
[WebMethod]
public void RegisterStudent(string Name, string Gender, int Marks)
{
string connectionString =
"Data Source =SAJID-PC\SQLEXPRESS;Initial Catalog=Design;Integrated Security=True";
SqlConnection con = new SqlConnection(connectionString);
con.Open();
String query = "INSERT INTO Students VALUES + ('" + Name + "', '" + Gender + "'," + Marks + ")";
SqlCommand sqlcom = new SqlCommand(query, con);
sqlcom.ExecuteNonQuery();
con.Close();
}
调用方法时出现此错误:
System.Data.SqlClient.SqlException: Incorrect syntax near '+'.
at System.Data.SqlClient.SqlConnection.OnError(SqlException exception,
Boolean breakConnection, Action1 wrapCloseInAction) at
System.Data.SqlClient.SqlInternalConnection.OnError(SqlException
exception, Boolean breakConnection, Action1 wrapCloseInAction) at
System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject
stateObj, Boolean callerHasConnectionLock, Boolean asyncClose) at
System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior,
SqlCommand cmdHandler, SqlDataReader dataStream,
BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject
stateObj, Boolean& dataReady) at
System.Data.SqlClient.SqlCommand.RunExecuteNonQueryTds(String
methodName, Boolean async, Int32 timeout, Boolean asyncWrite) at
System.Data.SqlClient.SqlCommand.InternalExecuteNonQuery(TaskCompletionSource`1
completion, String methodName, Boolean sendToPipe, Int32 timeout,
Boolean asyncWrite) at
System.Data.SqlClient.SqlCommand.ExecuteNonQuery() at
Assignment4Web.StudentService.RegisterStudent(String Name, String
Gender, Int32 Marks) in c:\users\sajid\documents\visual studio
2010\Projects\Assignment4Web\Assignment4Web\StudentService.asmx.cs:line
56
在 Values 之后删除不必要的 +,并在 Marks 周围添加 ',如下所示:
String query = "INSERT INTO Students VALUES ('" + Name + "', '" + Gender + "','" + Marks + "')";
虽然你应该总是使用parameterized queries to avoid SQL Injection。像这样:
SqlCommand sqlcom = new SqlCommand("INSERT INTO Students VALUES(@Name ,@Gender,@Marks");
cmd.Parameters.AddWithValue("@Name",Name);
cmd.Parameters.AddWithValue("@Gender",Gender);
cmd.Parameters.AddWithValue("@Marks",Marks);
[WebMethod]
public void RegisterStudent(string Name, string Gender, int Marks)
{
string connectionString =
"Data Source =SAJID-PC\SQLEXPRESS;Initial Catalog=Design;Integrated Security=True";
SqlConnection con = new SqlConnection(connectionString);
con.Open();
String query = "INSERT INTO Students VALUES + ('" + Name + "', '" + Gender + "'," + Marks + ")";
SqlCommand sqlcom = new SqlCommand(query, con);
sqlcom.ExecuteNonQuery();
con.Close();
}
调用方法时出现此错误:
System.Data.SqlClient.SqlException: Incorrect syntax near '+'. at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action1 wrapCloseInAction) at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection, Action1 wrapCloseInAction) at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose) at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady) at System.Data.SqlClient.SqlCommand.RunExecuteNonQueryTds(String methodName, Boolean async, Int32 timeout, Boolean asyncWrite) at System.Data.SqlClient.SqlCommand.InternalExecuteNonQuery(TaskCompletionSource`1 completion, String methodName, Boolean sendToPipe, Int32 timeout, Boolean asyncWrite) at System.Data.SqlClient.SqlCommand.ExecuteNonQuery() at Assignment4Web.StudentService.RegisterStudent(String Name, String Gender, Int32 Marks) in c:\users\sajid\documents\visual studio 2010\Projects\Assignment4Web\Assignment4Web\StudentService.asmx.cs:line 56
在 Values 之后删除不必要的 +,并在 Marks 周围添加 ',如下所示:
String query = "INSERT INTO Students VALUES ('" + Name + "', '" + Gender + "','" + Marks + "')";
虽然你应该总是使用parameterized queries to avoid SQL Injection。像这样:
SqlCommand sqlcom = new SqlCommand("INSERT INTO Students VALUES(@Name ,@Gender,@Marks");
cmd.Parameters.AddWithValue("@Name",Name);
cmd.Parameters.AddWithValue("@Gender",Gender);
cmd.Parameters.AddWithValue("@Marks",Marks);