使用c#和asp.net将sql插入到access db时出现语法错误

时间:2021-09-16 02:05:56

I get an error on the line

我在线路上出错了

cmd.ExecuteNonQuery();

which says

Syntax error in INSERT INTO statement

INSERT INTO语句中的语法错误。

I think my query should be valid, I don't understand the problem and I've been working on it for hours. It's in the right order and putting [] around Users did not work for me, would appreciate help.

我认为我的问题应该是有效的,我不理解这个问题,我已经花了好几个小时在这个问题上。这是正确的顺序,并把[]周围的用户不为我工作,将感激帮助。

<%@ Page Language ="C#" %>
<%@ Import Namespace="System.Data" %>
<%@ Import Namespace="System.Data.OleDb" %>   
    <script runat="server">
    protected void Page_Load()
    {

            String username = Request.Form["username"];
            String email = Request.Form["email"];
            String password = Request.Form["password1"];
            var age = Request.Form["age"];
            String country = Request.Form["country"];
            String hobbie = Request.Form["skin"];
            String sql;

            sql = "INSERT INTO Users(UserName, Email, Password, Age, Country, Hobbie) VALUES('" + username + "','" + email + "','" + password + "'," + age + ",'" + country + "','" + skin + "')";

            String Path = Server.MapPath("App_Data/Users.accdb");
            String connStr = "Provider=Microsoft.ACE.OLEDB.12.0;Data Source="+Path;

            OleDbConnection conn = new OleDbConnection(connStr);
            conn.Open();

            OleDbCommand cmd = new OleDbCommand(sql, conn);
            cmd.ExecuteNonQuery();

            conn.Close();
    }

3 个解决方案

#1


4  

PASSWORD is a reserved keyword for MS-Access. Use it enclosed in square brackets

密码是MS-Access的保留关键字。用方括号括起来

    sql = "INSERT INTO Users(UserName, Email, [Password] ....

But please, change that sql text to use a parameterized query. Also, if you are able to send this command with the actual values your query remains open to Sql Injection vulnerability and a parsing problem could arise when your input string contains a single quote

但是请修改sql文本以使用参数化查询。另外,如果您能够将这个命令与实际值一起发送,那么您的查询仍然可以打开Sql注入漏洞,当您的输入字符串包含单引号时,可能会出现解析问题。

   sql = @"INSERT INTO Users(UserName, Email, [Password], Age, Country, Hobbie) 
           VALUES(?,?,?,?,?,?)";
   ....

   OleDbCommand cmd = new OleDbCommand(sql, conn);
   cmd.Parameters.AddWithValue("@p1", username);
   .... and so on for the other 5 parameters required by the query ....

#2


2  

I think Password is a reserved word. use like [Password]

我认为密码是一个保留字。使用(密码)

Try this

试试这个

sql = "INSERT INTO Users(UserName,Email,[Password],Age,Country,Hobbie) VALUES('" + username + "','" + email + "','" + password + "'," + age + ",'" + country + "','" + skin + "')";

And this is not recommended. Use parameterized query. like below:

这是不推荐的。使用参数化查询。像下图:

 sql = "INSERT INTO Users(UserName, Email, [Password], Age, Country, Hobbie) 
           VALUES(@UserName,@Email,@Password,@Age,@Country,@Hobbie)";

   OleDbCommand cmd = new OleDbCommand(sql, conn);
   cmd.Connection = conn;
   cmd.CommandType = CommandType.Text;   
   cmd.Parameters.AddWithValue("@UserName", username);
   cmd.Parameters.AddWithValue("@Email", Email);
   cmd.Parameters.AddWithValue("@Password", Password);
   cmd.Parameters.AddWithValue("@Age", Age);
   cmd.Parameters.AddWithValue("@Country", Country);
   cmd.Parameters.AddWithValue("@Hobbie", Hobbie);

#3


1  

use [Password] instead of Password

使用[密码]代替密码

#1


4  

PASSWORD is a reserved keyword for MS-Access. Use it enclosed in square brackets

密码是MS-Access的保留关键字。用方括号括起来

    sql = "INSERT INTO Users(UserName, Email, [Password] ....

But please, change that sql text to use a parameterized query. Also, if you are able to send this command with the actual values your query remains open to Sql Injection vulnerability and a parsing problem could arise when your input string contains a single quote

但是请修改sql文本以使用参数化查询。另外,如果您能够将这个命令与实际值一起发送,那么您的查询仍然可以打开Sql注入漏洞,当您的输入字符串包含单引号时,可能会出现解析问题。

   sql = @"INSERT INTO Users(UserName, Email, [Password], Age, Country, Hobbie) 
           VALUES(?,?,?,?,?,?)";
   ....

   OleDbCommand cmd = new OleDbCommand(sql, conn);
   cmd.Parameters.AddWithValue("@p1", username);
   .... and so on for the other 5 parameters required by the query ....

#2


2  

I think Password is a reserved word. use like [Password]

我认为密码是一个保留字。使用(密码)

Try this

试试这个

sql = "INSERT INTO Users(UserName,Email,[Password],Age,Country,Hobbie) VALUES('" + username + "','" + email + "','" + password + "'," + age + ",'" + country + "','" + skin + "')";

And this is not recommended. Use parameterized query. like below:

这是不推荐的。使用参数化查询。像下图:

 sql = "INSERT INTO Users(UserName, Email, [Password], Age, Country, Hobbie) 
           VALUES(@UserName,@Email,@Password,@Age,@Country,@Hobbie)";

   OleDbCommand cmd = new OleDbCommand(sql, conn);
   cmd.Connection = conn;
   cmd.CommandType = CommandType.Text;   
   cmd.Parameters.AddWithValue("@UserName", username);
   cmd.Parameters.AddWithValue("@Email", Email);
   cmd.Parameters.AddWithValue("@Password", Password);
   cmd.Parameters.AddWithValue("@Age", Age);
   cmd.Parameters.AddWithValue("@Country", Country);
   cmd.Parameters.AddWithValue("@Hobbie", Hobbie);

#3


1  

use [Password] instead of Password

使用[密码]代替密码