I have a simple asp.net form for an individual to fill out, and the code I used on this particular page works in several other locations, but this page is giving me an issue.
我有一个简单的asp.net表单供个人填写,我在这个特定页面上使用的代码在其他几个地方工作,但是这个页面给了我一个问题。
It's saying there is a syntax error in the INSERT statement. Can you see anything wrong with it?
它说INSERT语句中存在语法错误。你能看出它有什么问题吗?
The click event code:
点击事件代码:
cmdInsert.CommandText = "INSERT INTO Position (Com_ID, Stu_ID, Pos_StartDate, Pos_Type, Pos_Description, Pos_Title) VALUES (' " & ddlCompany.SelectedValue & " ', ' " & ddlStudent.SelectedValue & " ', #" & CalStartDate.SelectedDate.Date & "#, ' " & ddlPositionType.SelectedValue & " ', ' " & txtDescription.Text & " ', ' " & txtPositionTitle.Text & " ');"
'MsgBox(cmdInsert.CommandText)
cmdInsert.CommandType = CommandType.Text
cmdInsert.Connection = cnnOLEDB
cmdInsert.ExecuteNonQuery()
txtPositionTitle.Text = ""
txtDescription.Text = "Record inserted."
CalStartDate.SelectedDates.Clear()
cmdInsert.Dispose()
The data captured from the form lines up with the data type in the database. Any ideas?
从表单捕获的数据与数据库中的数据类型对齐。有任何想法吗?
Here's the stack trace:
这是堆栈跟踪:
[OleDbException (0x80040e14): Syntax error in INSERT INTO statement.]
System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDbHResult hr) +1081356
System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS dbParams, Object& executeResult) +247
System.Data.OleDb.OleDbCommand.ExecuteCommandText(Object& executeResult) +194
System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult) +58
System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method) +167
System.Data.OleDb.OleDbCommand.ExecuteNonQuery() +113
Tiger_Recruiting.WebForm3.btnSaveStudentRecord_Click(Object sender, EventArgs e) in C:\Users\Garrett\Downloads\Tiger Recruiting(3)\Tiger Recruiting(3)\Tiger Recruiting(3)\Tiger Recruiting\Tiger Recruiting\position.aspx.vb:28
System.Web.UI.WebControls.Button.OnClick(EventArgs e) +141
System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) +149
System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) +39
System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +37
System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +87
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +4225
1 个解决方案
#1
2
The word POSITION is a reserved keyword in MS-Access-Jet.
You use it for a table name thus you need to encapsulate it with square brackets
POSITION一词是MS-Access-Jet中的保留关键字。您将它用于表名,因此您需要使用方括号将其封装
cmdInsert.CommandText = "INSERT INTO [Position] .......
A part from this, your code is very bad. Do not use string cancatenation to build sql commands.
This practice leads to syntax error when in your input there is a single quote or do you have other fields that require a particular formatting of the input value. But the worst of all is the problem of Sql Injection Look here for a funny explanation
从这一点来看,你的代码非常糟糕。不要使用字符串cancatenation来构建sql命令。当您在输入中有单引号或者您有其他需要输入值特定格式的字段时,这种做法会导致语法错误。但最糟糕的是Sql Injection的问题在这里寻找一个有趣的解释
So your code should be written in this way:
所以你的代码应该用这种方式编写:
cmdInsert.CommandText = "INSERT INTO [Position] (Com_ID, Stu_ID, Pos_StartDate, Pos_Type, " +
"Pos_Description, Pos_Title) VALUES " +
"(?,?,?,?,?,?)"
cmdInsert.Parameters.AddWithValue("@p1",ddlCompany.SelectedValue)
cmdInsert.Parameters.AddWithValue("@p2",ddlStudent.SelectedValue)
cmdInsert.Parameters.AddWithValue("@p3",CalStartDate.SelectedDate.Date)
cmdInsert.Parameters.AddWithValue("@p4",ddlPositionType.SelectedValue)
cmdInsert.Parameters.AddWithValue("@p5",txtDescription.Text)
cmdInsert.Parameters.AddWithValue("@p6",txtPositionTitle.Text)
cmdInsert.Connection = cnnOLEDB
cmdInsert.ExecuteNonQuery()
#1
2
The word POSITION is a reserved keyword in MS-Access-Jet.
You use it for a table name thus you need to encapsulate it with square brackets
POSITION一词是MS-Access-Jet中的保留关键字。您将它用于表名,因此您需要使用方括号将其封装
cmdInsert.CommandText = "INSERT INTO [Position] .......
A part from this, your code is very bad. Do not use string cancatenation to build sql commands.
This practice leads to syntax error when in your input there is a single quote or do you have other fields that require a particular formatting of the input value. But the worst of all is the problem of Sql Injection Look here for a funny explanation
从这一点来看,你的代码非常糟糕。不要使用字符串cancatenation来构建sql命令。当您在输入中有单引号或者您有其他需要输入值特定格式的字段时,这种做法会导致语法错误。但最糟糕的是Sql Injection的问题在这里寻找一个有趣的解释
So your code should be written in this way:
所以你的代码应该用这种方式编写:
cmdInsert.CommandText = "INSERT INTO [Position] (Com_ID, Stu_ID, Pos_StartDate, Pos_Type, " +
"Pos_Description, Pos_Title) VALUES " +
"(?,?,?,?,?,?)"
cmdInsert.Parameters.AddWithValue("@p1",ddlCompany.SelectedValue)
cmdInsert.Parameters.AddWithValue("@p2",ddlStudent.SelectedValue)
cmdInsert.Parameters.AddWithValue("@p3",CalStartDate.SelectedDate.Date)
cmdInsert.Parameters.AddWithValue("@p4",ddlPositionType.SelectedValue)
cmdInsert.Parameters.AddWithValue("@p5",txtDescription.Text)
cmdInsert.Parameters.AddWithValue("@p6",txtPositionTitle.Text)
cmdInsert.Connection = cnnOLEDB
cmdInsert.ExecuteNonQuery()