SQL语法错误:删除/放弃撇号';s
本文关键字:放弃 错误 语法 删除 SQL | 更新日期: 2023-09-27 18:25:05
我使用以下代码更新一个Windows窗体上的业务信息。当用户将企业名称放在txtBusName中,类似于"Sandy's Place"时,我会收到Incorrect Syntax near ';'. Unclosed quotation mark after the character string ';'.
处理这个问题的最佳方法是什么?
conn = new SqlConnection(connString);
conn.Open();
SqlCommand cmd = conn.CreateCommand();
mskZip.TextMaskFormat = MaskFormat.ExcludePromptAndLiterals;
string zip = mskZip.Text;
mskZip.TextMaskFormat = MaskFormat.IncludeLiterals;
mskMailZip.TextMaskFormat = MaskFormat.ExcludePromptAndLiterals;
string mailzip = mskMailZip.Text;
mskMailZip.TextMaskFormat = MaskFormat.IncludeLiterals;
mskPhone.TextMaskFormat = MaskFormat.ExcludePromptAndLiterals;
string phone = mskPhone.Text;
mskPhone.TextMaskFormat = MaskFormat.IncludeLiterals;
mskFax.TextMaskFormat = MaskFormat.ExcludePromptAndLiterals;
string fax = mskFax.Text;
mskFax.TextMaskFormat = MaskFormat.IncludeLiterals;
cmd.CommandText = "Update Business SET Name='" + txtBusName.Text + "', ContactName='" + txtContName.Text +
"', Address='" + txtAddr1.Text + "', City='" + txtCity.Text + "', State='" + cmbState.Text + "', Zip=" + ((zip=="")?"NULL":zip) + ", " +
"MailAddress='" + txtMailAddr1.Text + "', MailCity='" + txtMailCity.Text + "', MailState='" + cmbMailState.Text +
"', MailZipcode=" + ((mailzip == "") ? "NULL" : mailzip) + ", Latitude=" + ((txtLat.Text == "") ? "NULL" : txtLat.Text) + ", Longitude=" + ((txtLong.Text == "") ? "NULL" : txtLong.Text) + ", Phone=" +
((phone == "") ? "NULL" : phone) + ", Fax=" + ((fax == "") ? "NULL" : fax) + ", Email='" + txtEmail.Text + "' " +
"WHERE BusinessID=" + busID + " AND Status='A';";
cmd.ExecuteNonQuery();
MessageBox.Show("Database updated successfully.");
this.Close();
在SQL中使用双单引号转义单引号,因此Sandy''s place应该可以工作。
我强烈建议您使用查询参数,而不是将自己的查询串在一起,这样可以修复潜在的安全风险(SQL注入),很可能还会修复引号等问题。
您需要使用类似以下的参数化查询
cmd.CommandText =
"Update Business SET Name=@name, ContactName=@contact, Address=@address, " +
"City=@city, State=@state, Zip=@zip, " +
"MailAddress=@mail, MailCity=@ecity, MailState=@estate, " +
"MailZipcode=@ezip, Latitude=@lat, Longitude=@lng, Phone=@phone, " +
"Fax=@fax, Email=@email " +
"WHERE BusinessID=@busID AND Status='A'";
cmd.Parameters.AddWithValue("@name", txtBusName.Text);
cmd.Parameters.AddWithValue("@contact", txtContName.Text);
cmd.Parameters.AddWithValue("@address", txtAddr1.Text);
cmd.Parameters.AddWithValue("@city", txtCity.Text);
cmd.Parameters.AddWithValue("@state", cmbState.Text);
SqlParameter p1 = cmd.Parameters.Add("@zip", SqlDbType.NVarChar);
if(zip == "") p1.Value = DBNull.Value; else p1.Value = zip;
cmd.Parameters.AddWithValue("@mail", txtMailAddr1.Text);
cmd.Parameters.AddWithValue("@ecity", txtMailCity.Text);
cmd.Parameters.AddWithValue("@estate", cmbMailState.Text);
p1 = cmd.Parameters.Add("@ezip", SqlDbType.NVarChar);
if (mailzip == "") p1.Value = DBNull.Value; else p1.Value = mailzip;
p1 = cmd.Parameters.Add("@lat", SqlDbType.NVarChar);
if (txtLat.Text == "") p1.Value = DBNull.Value; else p1.Value = txtLat.Text;
p1 = cmd.Parameters.Add("@lng", SqlDbType.NVarChar);
if (txtLong.Text == "") p1.Value = DBNull.Value; else p1.Value = txtLong.Text;
p1 = cmd.Parameters.Add("@phone", SqlDbType.NVarChar);
if (phone == "") p1.Value = DBNull.Value; else p1.Value = phone;
p1 = cmd.Parameters.Add("@fax", SqlDbType.NVarChar);
if (fax == "") p1.Value = DBNull.Value; else p1.Value = fax;
cmd.Parameters.AddWithValue("@email", txtEmail.Text );
cmd.Parameters.AddWithValue("@busID", busID);
然而,总结一下,上面链接的文章值得从头到尾阅读,使用参数化查询,您可以将单引号(以及数字小数和日期文字)格式化为框架代码,该代码比我和您更了解如何处理这些字符串,而且通过这种方式,您可以避免可怕的Sql注入问题,该问题可能会使您的数据库受到的攻击
注意:我不知道应该设置为null的列的实际数据类型,所以我假设它们都是NVARCHAR。如果不是这种情况,则应将SqlDbType替换为适当的值。
请使用SqlParameter对象,而不是类似的字符串串联。类似于:
string sql = "Update Business SET Name=@Name, ContactName=@ContactName, Address=@Address WHERE BusinessID=@BusinessID AND Status='A';";
System.Data.SqlClient.SqlParameter[] par = new System.Data.SqlClient.SqlParameter[4];
par[0] = new System.Data.SqlClient.SqlParameter("@Name", txtBusName.Text);
par[1] = new System.Data.SqlClient.SqlParameter("@ContactName", txtContName.Text);
par[2] = new System.Data.SqlClient.SqlParameter("@Address", txtAddr1.Text);
par[3] = new System.Data.SqlClient.SqlParameter("@BusinessID", busID);
System.Data.SqlClient.SqlCommand com = new System.Data.SqlClient.SqlCommand(sql, SQL_CONNECTION);
com.Parameters.AddRange(par);
com.ExecuteNonQuery();
你有太多的参数,所以没有把它们都写出来:)
使用这种方法将为您处理撇号等特殊字符,并使代码看起来更干净、更可读、更安全。
最好的方法是使用参数化查询。
例如:http://www.aspsnippets.com/articles/Using-Parameterized-queries-to-prevent-SQL-Injection-Attacks-in-SQL-Server.aspx