如何将值插入数据库(Microsoft访问)?

时间:2022-09-01 15:46:49

I'm trying to insert details of a user into a table called user in my database, however i think there's something wrong with how i wrote the query responsible in doing so.

我正在尝试将用户的详细信息插入到我的数据库中名为user的表中,但是我认为编写查询的方式有问题。

Here's what I've done so far:

这是我到目前为止所做的:

public static void addUser(string n, string s)
{
    OleDbConnection myConnection = GetConnection();
    string myQuery = "INSERT INTO user( Name, Surname) VALUES ( '" + n + " , " + s + "' )";
    OleDbCommand myCommand = new OleDbCommand(myQuery, myConnection);

    try
    {
        myConnection.Open();
        myCommand.ExecuteNonQuery();
    }
    catch (Exception ex)
    {
        Console.WriteLine("Exception in DBHandler", ex);
    }
    finally
    {
        myConnection.Close();
    }
}

4 个解决方案

#1


0  

Problem : you are misusing single quotes.

问题:你滥用单引号。

Solution : you need to enclose the VARCHAR types in single quotes properly

解决方案:您需要将VARCHAR类型正确地包含在单引号中

Try This:

尝试这个:

string myQuery = "INSERT INTO [user] ([Name],Surname) VALUES ( '" + n + "' , '" + s + "' )";

I suggest you to use Parameterised sql queries to avoid Sql Injection attacks

我建议你使用Parameterised sql查询来避免Sql Injection攻击

Try This: with Parameterised Queries

试试这个:使用参数化查询

string myQuery = "INSERT INTO [user]([Name], Surname) VALUES (@name,@surname)";
OleDbCommand myCommand = new OleDbCommand(myQuery, myConnection);
myCommand.Parameters.AddWithValue("@name",n);
myCommand.Parameters.AddWithValue("@surname",s);

#2


2  

Well, you didn't tell us you get any error or not but using parameterized queries is always a better option. This kinf of string concatenations are open for SQL Injection attacks.

好吧,你没有告诉我们你得到任何错误,但使用参数化查询总是一个更好的选择。这种字符串连接的kinf对SQL注入攻击是开放的。

For example;

例如;

string myQuery = "INSERT INTO [user] ([Name], Surname) VALUES (@n, @s)";
OleDbCommand myCommand = new OleDbCommand(myQuery, myConnection);
myCommand.Parameters.AddWithValue("@n", n);
myCommand.Parameters.AddWithValue("@s", s);

Also user and Name are reserved keywords on MS Access. You should use them with square brackets like [user] and [Name].

用户和名称也是MS Access上的保留关键字。你应该使用方括号,如[user]和[Name]。

As a general recomendation, don't use reserved keywords for your identifiers and object names in your database.

作为一般推荐,请勿在数据库中使用保留关键字作为标识符和对象名称。

#3


0  

You're missing a couple apostrophes.

你错过了几个撇号。

The way you've got it, instead of passing two parameters (i.e. 'one' and 'two'), you're passing a single parameter (i.e. 'one , two').

你得到它的方式,而不是传递两个参数(即'一'和'两'),你传递一个参数(即'一,二')。

Try this:

尝试这个:

string myQuery
    = "INSERT INTO user( Name, Surname) VALUES ( '" + n + "' , '" + s + "' )";

#4


0  

The thing is that 'user' is a keyword for MS Access. You must put it in angle brackets: [user].

问题是'user'是MS Access的关键字。你必须把它放在尖括号中:[user]。

HTH Thomas

HTH托马斯

#1


0  

Problem : you are misusing single quotes.

问题:你滥用单引号。

Solution : you need to enclose the VARCHAR types in single quotes properly

解决方案:您需要将VARCHAR类型正确地包含在单引号中

Try This:

尝试这个:

string myQuery = "INSERT INTO [user] ([Name],Surname) VALUES ( '" + n + "' , '" + s + "' )";

I suggest you to use Parameterised sql queries to avoid Sql Injection attacks

我建议你使用Parameterised sql查询来避免Sql Injection攻击

Try This: with Parameterised Queries

试试这个:使用参数化查询

string myQuery = "INSERT INTO [user]([Name], Surname) VALUES (@name,@surname)";
OleDbCommand myCommand = new OleDbCommand(myQuery, myConnection);
myCommand.Parameters.AddWithValue("@name",n);
myCommand.Parameters.AddWithValue("@surname",s);

#2


2  

Well, you didn't tell us you get any error or not but using parameterized queries is always a better option. This kinf of string concatenations are open for SQL Injection attacks.

好吧,你没有告诉我们你得到任何错误,但使用参数化查询总是一个更好的选择。这种字符串连接的kinf对SQL注入攻击是开放的。

For example;

例如;

string myQuery = "INSERT INTO [user] ([Name], Surname) VALUES (@n, @s)";
OleDbCommand myCommand = new OleDbCommand(myQuery, myConnection);
myCommand.Parameters.AddWithValue("@n", n);
myCommand.Parameters.AddWithValue("@s", s);

Also user and Name are reserved keywords on MS Access. You should use them with square brackets like [user] and [Name].

用户和名称也是MS Access上的保留关键字。你应该使用方括号,如[user]和[Name]。

As a general recomendation, don't use reserved keywords for your identifiers and object names in your database.

作为一般推荐,请勿在数据库中使用保留关键字作为标识符和对象名称。

#3


0  

You're missing a couple apostrophes.

你错过了几个撇号。

The way you've got it, instead of passing two parameters (i.e. 'one' and 'two'), you're passing a single parameter (i.e. 'one , two').

你得到它的方式,而不是传递两个参数(即'一'和'两'),你传递一个参数(即'一,二')。

Try this:

尝试这个:

string myQuery
    = "INSERT INTO user( Name, Surname) VALUES ( '" + n + "' , '" + s + "' )";

#4


0  

The thing is that 'user' is a keyword for MS Access. You must put it in angle brackets: [user].

问题是'user'是MS Access的关键字。你必须把它放在尖括号中:[user]。

HTH Thomas

HTH托马斯