I'm trying to add a WHERE
clause to my SQL statement but get an error:
我试图在我的SQL语句中添加WHERE子句,但是得到了一个错误:
Incorrect syntax near the keyword 'WHERE'.
在关键字“WHERE”附近的语法不正确。
when running the program.
当运行程序。
My SQL statement
我的SQL语句
insertCommand.CommandText = "INSERT INTO [UserInformation] (Password, NewUser) " _
& "Values('" & Pw1 & "', '" & NewUSR & "') WHERE ([Email] = '" & txtUserName2 & "') "
Any ideas?
什么好主意吗?
2 个解决方案
#1
5
What is the meaning of a WHERE clause in a INSERT statement?
You should remove everything after the closing parenthesys for the values
INSERT语句中的WHERE子句是什么意思?您应该在值的结束括号之后删除所有内容
Of course, you should also not use string concatenation in sql statements because your code is exposed to Sql Injection
当然,您也不应该在sql语句中使用字符串连接,因为您的代码公开给sql注入
insertCommand.CommandText = "INSERT INTO [UserInformation] " & _
"(Password, NewUser) Values(@pwd,@newusr)"
insertCommand.Parameters.AddWithValue("@pwd", Pw1)
insertCommand.Parameters.AddWithValue("@new", NewUSR )
Instead, if your plan is to UPDATE the record, then the WHERE is required, but the query text is different
相反,如果您的计划是更新记录,则需要WHERE,但是查询文本不同
updateCommand.CommandText = "UPDATE [UserInformation] " & _
"SET Password = @pwd, NewUser = @newusr " & _
"WHERE ([Email] = @email) "
If you use parameters to pass your values you remove the possibility of SQL Injection, but another great benefit is that now your query text is not littered with open/close quotes. You leave the correct parsing of your command (including the exact resolution of the parameters) to the underlying database code.
如果您使用参数传递值,那么您将消除SQL注入的可能性,但是另一个好处是,现在您的查询文本中没有乱放打开/关闭引号。将命令的正确解析(包括参数的精确解析)留给底层数据库代码。
#2
0
You'll need to so an INSERT and SELECT combo.
您需要插入和选择组合。
http://technet.microsoft.com/en-us/library/ms188263(v=sql.105).aspx
http://technet.microsoft.com/en-us/library/ms188263(v = sql.105). aspx
#1
5
What is the meaning of a WHERE clause in a INSERT statement?
You should remove everything after the closing parenthesys for the values
INSERT语句中的WHERE子句是什么意思?您应该在值的结束括号之后删除所有内容
Of course, you should also not use string concatenation in sql statements because your code is exposed to Sql Injection
当然,您也不应该在sql语句中使用字符串连接,因为您的代码公开给sql注入
insertCommand.CommandText = "INSERT INTO [UserInformation] " & _
"(Password, NewUser) Values(@pwd,@newusr)"
insertCommand.Parameters.AddWithValue("@pwd", Pw1)
insertCommand.Parameters.AddWithValue("@new", NewUSR )
Instead, if your plan is to UPDATE the record, then the WHERE is required, but the query text is different
相反,如果您的计划是更新记录,则需要WHERE,但是查询文本不同
updateCommand.CommandText = "UPDATE [UserInformation] " & _
"SET Password = @pwd, NewUser = @newusr " & _
"WHERE ([Email] = @email) "
If you use parameters to pass your values you remove the possibility of SQL Injection, but another great benefit is that now your query text is not littered with open/close quotes. You leave the correct parsing of your command (including the exact resolution of the parameters) to the underlying database code.
如果您使用参数传递值,那么您将消除SQL注入的可能性,但是另一个好处是,现在您的查询文本中没有乱放打开/关闭引号。将命令的正确解析(包括参数的精确解析)留给底层数据库代码。
#2
0
You'll need to so an INSERT and SELECT combo.
您需要插入和选择组合。
http://technet.microsoft.com/en-us/library/ms188263(v=sql.105).aspx
http://technet.microsoft.com/en-us/library/ms188263(v = sql.105). aspx