SQL查询错误:“#”附近的语法不正确?

时间:2022-03-21 00:54:45

When I try to execute this SQL query:

当我尝试执行此SQL查询时:

savInto.CommandText = "update onCommands set warnDate =#" & movDate.Value.ToString("MM/dd/yyyy") 
& "#,updateDate =#" & Date.Now.ToShortDateString 
& "#,transportCompany ='" & Trim(Company.Text) 
& "' where ID =" & moveID

I get this error:

我收到此错误:

Incorrect syntax near '#'

2 个解决方案

#1


4  

Well the main problem is that you're trying to provide the parameter as part of the SQL itself. While there are ways of doing that (use an apostrophe rather than #), it's generally a bad idea:

那么主要的问题是你试图提供参数作为SQL本身的一部分。虽然有办法做到这一点(使用撇号而不是#),但这通常是一个坏主意:

  • It invites SQL injection attacks when used with arbitrary strings
  • 当与任意字符串一起使用时,它会引发SQL注入攻击
  • It makes it harder to read the code
  • 这使得阅读代码变得更加困难
  • It introduces unnecessary string conversions
  • 它引入了不必要的字符串转换

Instead, you should use parameterized SQL and specify the value for the parameter. Something like:

相反,您应该使用参数化SQL并指定参数的值。就像是:

savInto.CommandText = "update onCommands set warnDate = @warnDate" & 
    ", updateDate = @updateDate, transportCompany = @transportCompany" &
    " where ID=@moveID"
savInto.Parameters.Add("@warnDate", SqlDbType.DateTime).Value = movDate
savInto.Parameters.Add("@updateDate", SqlDbType.DateTime).Value = Date.Now
savInto.Parameters.Add("@transportCompany", SqlDbType.NVarChar).Value = Trim(Company.Text)
savInto.Parameters.Add("@moveID", SqlDbType.NVarChar).Value = moveID

#2


1  

Why are you using # character? What database are you using (sql server, oracle, mysql...)

你为什么使用#character?你使用什么数据库(sql server,oracle,mysql ...)

Try this:

尝试这个:

savInto.CommandText = "update onCommands set warnDate ='" & movDate.Value.ToString("MM/dd/yyyy") & "',updateDate ='" & Date.Now.ToShortDateString & "',transportCompany ='" & Trim(Company.Text) & "' where ID =" & moveID

#1


4  

Well the main problem is that you're trying to provide the parameter as part of the SQL itself. While there are ways of doing that (use an apostrophe rather than #), it's generally a bad idea:

那么主要的问题是你试图提供参数作为SQL本身的一部分。虽然有办法做到这一点(使用撇号而不是#),但这通常是一个坏主意:

  • It invites SQL injection attacks when used with arbitrary strings
  • 当与任意字符串一起使用时,它会引发SQL注入攻击
  • It makes it harder to read the code
  • 这使得阅读代码变得更加困难
  • It introduces unnecessary string conversions
  • 它引入了不必要的字符串转换

Instead, you should use parameterized SQL and specify the value for the parameter. Something like:

相反,您应该使用参数化SQL并指定参数的值。就像是:

savInto.CommandText = "update onCommands set warnDate = @warnDate" & 
    ", updateDate = @updateDate, transportCompany = @transportCompany" &
    " where ID=@moveID"
savInto.Parameters.Add("@warnDate", SqlDbType.DateTime).Value = movDate
savInto.Parameters.Add("@updateDate", SqlDbType.DateTime).Value = Date.Now
savInto.Parameters.Add("@transportCompany", SqlDbType.NVarChar).Value = Trim(Company.Text)
savInto.Parameters.Add("@moveID", SqlDbType.NVarChar).Value = moveID

#2


1  

Why are you using # character? What database are you using (sql server, oracle, mysql...)

你为什么使用#character?你使用什么数据库(sql server,oracle,mysql ...)

Try this:

尝试这个:

savInto.CommandText = "update onCommands set warnDate ='" & movDate.Value.ToString("MM/dd/yyyy") & "',updateDate ='" & Date.Now.ToShortDateString & "',transportCompany ='" & Trim(Company.Text) & "' where ID =" & moveID