获取 sql 错误:字符串“904LPUH000614”后未闭合的引号
本文关键字:错误 sql 字符串 904LPUH000614 获取 | 更新日期: 2023-09-27 18:35:24
public partial class HardwareInformation : BaseForm
{
string sWhere = "";
public HardwareInformation()
{
InitializeComponent();
}
private void button1_Click(object sender, EventArgs e)
{
SqlConnection objConn1 = new SqlConnection("Data Source=192.168.0.203;Initial Catalog=costing;User ID=sa;Password=Spareage@123");
if ( searchtextbox.Text.Trim() != "" )
{
sWhere = "Where Srno '" + searchtextbox.Text;
}
SqlDataAdapter objAdapter = new SqlDataAdapter(@"Select distinct [Srno] ,[Employee Name] , [Department] , [Thin Client] , [Desktop] , [Lcd] , [Moniter] , [Printer] , [Ups] from [dbo].[HardwareDetail] " + sWhere + "", objConn1);
DataTable objTable = new DataTable();
objAdapter.Fill(objTable);
dataGridView1.DataSource = objTable;
dataGridView1.Columns[0].Width = 25;
for (int i = 1; i < dataGridView1.Columns.Count; i++)
{
dataGridView1.Columns[i].ReadOnly = true;
}
}
使用
"Where Srno = '" + searchtextbox.Text + "'";
您忘记了=
Srno
后的符号,并在文本框文本后关闭单引号。
在创建 SqlDataAdapter 的位置,最后一次使用
"[Ups] from [dbo].[HardwareDetail] " + sWhere, objConn1);
顺便说一句,请注意SQL弹射。
文本框
文本后缺少 = 符号和结束引号。因此它应该是
"Where Srno = '" + searchtextbox.Text +"'";
你的代码容易受到SQL注入攻击。切勿在不清理 SQL 的情况下将用户输入直接插入 SQL。您确实需要更改为参数化查询:
SqlDataAdapter objAdapter = new SqlDataAdapter(@"Select distinct [Srno] ,[Employee Name] , [Department] , [Thin Client] , [Desktop] , [Lcd] , [Moniter] , [Printer] , [Ups] from [dbo].[HardwareDetail] WHERE Srno = @srno", objConn1);
// Change the length and dbtype to match your needs
objAdapter.Parameters.Add("@srno", SqlDbType.NChar, 15, searchtextbox.Text);
DataTable objTable = new DataTable();
objAdapter.Fill(objTable);
这使您免于注入漏洞,并且还消除了转义引号和其他特殊字符的需要。