I'm trying to insert details of a user into a table called user in my database, however i think there's something wrong with how i wrote the query responsible in doing so.
我正在尝试将用户的详细信息插入到我的数据库中名为user的表中,但是我认为编写查询的方式有问题。
Here's what I've done so far:
这是我到目前为止所做的:
public static void addUser(string n, string s)
{
OleDbConnection myConnection = GetConnection();
string myQuery = "INSERT INTO user( Name, Surname) VALUES ( '" + n + " , " + s + "' )";
OleDbCommand myCommand = new OleDbCommand(myQuery, myConnection);
try
{
myConnection.Open();
myCommand.ExecuteNonQuery();
}
catch (Exception ex)
{
Console.WriteLine("Exception in DBHandler", ex);
}
finally
{
myConnection.Close();
}
}
4 个解决方案
#1
0
Problem : you are misusing single quotes.
问题:你滥用单引号。
Solution : you need to enclose the VARCHAR types in single quotes properly
解决方案:您需要将VARCHAR类型正确地包含在单引号中
Try This:
尝试这个:
string myQuery = "INSERT INTO [user] ([Name],Surname) VALUES ( '" + n + "' , '" + s + "' )";
I suggest you to use Parameterised sql queries to avoid Sql Injection attacks
我建议你使用Parameterised sql查询来避免Sql Injection攻击
Try This: with Parameterised Queries
试试这个:使用参数化查询
string myQuery = "INSERT INTO [user]([Name], Surname) VALUES (@name,@surname)";
OleDbCommand myCommand = new OleDbCommand(myQuery, myConnection);
myCommand.Parameters.AddWithValue("@name",n);
myCommand.Parameters.AddWithValue("@surname",s);
#2
2
Well, you didn't tell us you get any error or not but using parameterized queries is always a better option. This kinf of string concatenations are open for SQL Injection attacks.
好吧,你没有告诉我们你得到任何错误,但使用参数化查询总是一个更好的选择。这种字符串连接的kinf对SQL注入攻击是开放的。
For example;
例如;
string myQuery = "INSERT INTO [user] ([Name], Surname) VALUES (@n, @s)";
OleDbCommand myCommand = new OleDbCommand(myQuery, myConnection);
myCommand.Parameters.AddWithValue("@n", n);
myCommand.Parameters.AddWithValue("@s", s);
Also user and Name are reserved keywords on MS Access. You should use them with square brackets like [user] and [Name].
用户和名称也是MS Access上的保留关键字。你应该使用方括号,如[user]和[Name]。
As a general recomendation, don't use reserved keywords for your identifiers and object names in your database.
作为一般推荐,请勿在数据库中使用保留关键字作为标识符和对象名称。
#3
0
You're missing a couple apostrophes.
你错过了几个撇号。
The way you've got it, instead of passing two parameters (i.e. 'one' and 'two'), you're passing a single parameter (i.e. 'one , two').
你得到它的方式,而不是传递两个参数(即'一'和'两'),你传递一个参数(即'一,二')。
Try this:
尝试这个:
string myQuery
= "INSERT INTO user( Name, Surname) VALUES ( '" + n + "' , '" + s + "' )";
#4
0
The thing is that 'user' is a keyword for MS Access. You must put it in angle brackets: [user].
问题是'user'是MS Access的关键字。你必须把它放在尖括号中:[user]。
HTH Thomas
HTH托马斯
#1
0
Problem : you are misusing single quotes.
问题:你滥用单引号。
Solution : you need to enclose the VARCHAR types in single quotes properly
解决方案:您需要将VARCHAR类型正确地包含在单引号中
Try This:
尝试这个:
string myQuery = "INSERT INTO [user] ([Name],Surname) VALUES ( '" + n + "' , '" + s + "' )";
I suggest you to use Parameterised sql queries to avoid Sql Injection attacks
我建议你使用Parameterised sql查询来避免Sql Injection攻击
Try This: with Parameterised Queries
试试这个:使用参数化查询
string myQuery = "INSERT INTO [user]([Name], Surname) VALUES (@name,@surname)";
OleDbCommand myCommand = new OleDbCommand(myQuery, myConnection);
myCommand.Parameters.AddWithValue("@name",n);
myCommand.Parameters.AddWithValue("@surname",s);
#2
2
Well, you didn't tell us you get any error or not but using parameterized queries is always a better option. This kinf of string concatenations are open for SQL Injection attacks.
好吧,你没有告诉我们你得到任何错误,但使用参数化查询总是一个更好的选择。这种字符串连接的kinf对SQL注入攻击是开放的。
For example;
例如;
string myQuery = "INSERT INTO [user] ([Name], Surname) VALUES (@n, @s)";
OleDbCommand myCommand = new OleDbCommand(myQuery, myConnection);
myCommand.Parameters.AddWithValue("@n", n);
myCommand.Parameters.AddWithValue("@s", s);
Also user and Name are reserved keywords on MS Access. You should use them with square brackets like [user] and [Name].
用户和名称也是MS Access上的保留关键字。你应该使用方括号,如[user]和[Name]。
As a general recomendation, don't use reserved keywords for your identifiers and object names in your database.
作为一般推荐,请勿在数据库中使用保留关键字作为标识符和对象名称。
#3
0
You're missing a couple apostrophes.
你错过了几个撇号。
The way you've got it, instead of passing two parameters (i.e. 'one' and 'two'), you're passing a single parameter (i.e. 'one , two').
你得到它的方式,而不是传递两个参数(即'一'和'两'),你传递一个参数(即'一,二')。
Try this:
尝试这个:
string myQuery
= "INSERT INTO user( Name, Surname) VALUES ( '" + n + "' , '" + s + "' )";
#4
0
The thing is that 'user' is a keyword for MS Access. You must put it in angle brackets: [user].
问题是'user'是MS Access的关键字。你必须把它放在尖括号中:[user]。
HTH Thomas
HTH托马斯