为什么在使用 Prepare() 方法时出现语法错误?没有 'addCustCmd.Prepare();' 问题就消失了
Why am I getting a syntax error when using the Prepare() method? The problem goes away without the 'addCustCmd.Prepare();'
我正在尝试将客户添加到 MySQL 数据库,然后用数据填充 DataGridView。没有 addCustCmd.Prepare(); 方法一切正常。客户被添加到数据库中,我的 DGV 中填充了新数据。但我想为这些输入增加安全性并防止 SQL 注入,因此 Prepare();方法。
public static void addCust(string cCustomerName, string cAddress, string cAddress2, int cPhone, int cPostalCode, string cCity, string cCountry)
{
MySqlConnection addCustConn = new MySqlConnection(connString);
MySqlCommand addCustCmd = new MySqlCommand("INSERT INTO country VALUES " +
"(NULL, @countryName, CURRENT_TIMESTAMP," +
"@user, CURRENT_TIMESTAMP, @user);" +
"INSERT INTO city " +
"VALUES(NULL, @city, LAST_INSERT_ID(), CURRENT_TIMESTAMP, @user, CURRENT_TIMESTAMP, " +
"@user);" +
"INSERT INTO address " +
"VALUES(NULL, @address, @address2, LAST_INSERT_ID(), @postalCode, @phone, CURRENT_TIMESTAMP, @user," +
"CURRENT_TIMESTAMP, @user);" +
"INSERT INTO customer " +
"VALUES(NULL, @customerName, LAST_INSERT_ID(), active, CURRENT_TIMESTAMP, @user," +
"CURRENT_TIMESTAMP, @user);", addCustConn);
addCustConn.Open();
addCustCmd.Parameters.AddWithValue("@countryName", cCountry);
addCustCmd.Parameters.AddWithValue("@city", cCity);
addCustCmd.Parameters.AddWithValue("@address", cAddress);
addCustCmd.Parameters.AddWithValue("@address2", cAddress2);
addCustCmd.Parameters.AddWithValue("@postalCode", cPostalCode);
addCustCmd.Parameters.AddWithValue("@phone", cPhone);
addCustCmd.Parameters.AddWithValue("@customerName", cCustomerName);
addCustCmd.Parameters.AddWithValue("@user", LoginForm.currentUser);
addCustCmd.Prepare(); //Commenting this out allows the program to run no problems
addCustCmd.ExecuteNonQuery();
addCustConn.Close();
}//end addCust
这是我尝试 运行 时弹出的错误:
“您的 SQL 语法有误;请查看与您的 MySQL 服务器版本对应的手册,了解在第 1 行 'INSERT INTO city VALUES(NULL, ?, LAST_INSERT_ID(), CURRENT_TIMESTAMP, ?, CURRENT' 附近使用的正确语法”。 =19=]
每个插入操作都必须是一个单独的命令才能使用准备好的语句。
SQL syntax for prepared statements does not support multi-statements (that is, multiple statements within a single string separated by ; characters).
我正在尝试将客户添加到 MySQL 数据库,然后用数据填充 DataGridView。没有 addCustCmd.Prepare(); 方法一切正常。客户被添加到数据库中,我的 DGV 中填充了新数据。但我想为这些输入增加安全性并防止 SQL 注入,因此 Prepare();方法。
public static void addCust(string cCustomerName, string cAddress, string cAddress2, int cPhone, int cPostalCode, string cCity, string cCountry)
{
MySqlConnection addCustConn = new MySqlConnection(connString);
MySqlCommand addCustCmd = new MySqlCommand("INSERT INTO country VALUES " +
"(NULL, @countryName, CURRENT_TIMESTAMP," +
"@user, CURRENT_TIMESTAMP, @user);" +
"INSERT INTO city " +
"VALUES(NULL, @city, LAST_INSERT_ID(), CURRENT_TIMESTAMP, @user, CURRENT_TIMESTAMP, " +
"@user);" +
"INSERT INTO address " +
"VALUES(NULL, @address, @address2, LAST_INSERT_ID(), @postalCode, @phone, CURRENT_TIMESTAMP, @user," +
"CURRENT_TIMESTAMP, @user);" +
"INSERT INTO customer " +
"VALUES(NULL, @customerName, LAST_INSERT_ID(), active, CURRENT_TIMESTAMP, @user," +
"CURRENT_TIMESTAMP, @user);", addCustConn);
addCustConn.Open();
addCustCmd.Parameters.AddWithValue("@countryName", cCountry);
addCustCmd.Parameters.AddWithValue("@city", cCity);
addCustCmd.Parameters.AddWithValue("@address", cAddress);
addCustCmd.Parameters.AddWithValue("@address2", cAddress2);
addCustCmd.Parameters.AddWithValue("@postalCode", cPostalCode);
addCustCmd.Parameters.AddWithValue("@phone", cPhone);
addCustCmd.Parameters.AddWithValue("@customerName", cCustomerName);
addCustCmd.Parameters.AddWithValue("@user", LoginForm.currentUser);
addCustCmd.Prepare(); //Commenting this out allows the program to run no problems
addCustCmd.ExecuteNonQuery();
addCustConn.Close();
}//end addCust
这是我尝试 运行 时弹出的错误: “您的 SQL 语法有误;请查看与您的 MySQL 服务器版本对应的手册,了解在第 1 行 'INSERT INTO city VALUES(NULL, ?, LAST_INSERT_ID(), CURRENT_TIMESTAMP, ?, CURRENT' 附近使用的正确语法”。 =19=]
每个插入操作都必须是一个单独的命令才能使用准备好的语句。
SQL syntax for prepared statements does not support multi-statements (that is, multiple statements within a single string separated by ; characters).