我尝试在 C# 中运行 sql 命令但出现错误
Posted
技术标签:
【中文标题】我尝试在 C# 中运行 sql 命令但出现错误【英文标题】:i am try to run sql command in c# but getting errors 【发布时间】:2021-11-15 03:56:24 【问题描述】:我正在尝试通过在我的 .net 项目中使用 insert 命令将值插入到 db
命令:
string[] dist_name = new string[] "Yuma", "Wickenburg", "Verde", "Prescott", "Pinal", "Payson", "Paradise Valley/Eastern", "Navajo", "Mountain", "La Paz", "Goodyear/Western", "Deer Valley/Central","Coconino","Cochise","Buckeye" ;
int[] cust_count = new int[] int.Parse(TextBox11.Text), int.Parse(TextBox11.Text), int.Parse(TextBox12.Text), int.Parse(TextBox13.Text), int.Parse(TextBox14.Text), int.Parse(TextBox15.Text), int.Parse(TextBox16.Text), int.Parse(TextBox17.Text), int.Parse(TextBox18.Text), int.Parse(TextBox19.Text), int.Parse(TextBox20.Text), int.Parse(TextBox21.Text), int.Parse(TextBox22.Text), int.Parse(TextBox23.Text), int.Parse(TextBox24.Text), int.Parse(TextBox25.Text) ;
string[] dist_code = new string[] "YU","WG","VR","VP","PL","GP","PV","NN","GM","YP","YP","GY","DV","NC","CO","WB" ;
SqlConnection con = new SqlConnection(_connectionString);
con.Open();
for (int i = 0; i < dist_name.Length; i++)
SqlCommand sc1 = new SqlCommand("insert into tempdivcustcount(dist_name,dist_code,cust_count,year) Values("+dist_name[i]+","+dist_code[i]+","+cust_count[i]+","+int.Parse(thresholdYear.Text)+") ", con);
object o1 = sc1.ExecuteNonQuery();
但是当我运行它时,我得到了这个错误: “无效的列名“YUMA” "无效的 column_name "YU"
“Yuma”和“Yu”将作为记录插入到我的数据库中 请让我知道如何解决它。 感谢您的帮助
【问题讨论】:
了解如何编写参数化查询。此代码未插入 YUMA 值 您必须在 SQL 中的字符串文字周围加上单引号,但是,正如您 @Steve 指出的那样,正确参数化您的 sql 将解决问题并使您免受潜在的 sql 注入攻击。 关于副本:小心使用 AddWithValue。它很便宜,但它可能会导致比已解决的问题更多的问题。 你能给我举个例子吗? 你读过副本吗?这实际上是你的问题 【参考方案1】:哎呀!这看起来很容易受到 sql 注入问题的影响。试试这个:
// Not a fan of matching arrays by index, but that's an issue for another day.
string[] dist_name = new string[] "Yuma", "Wickenburg", "Verde", "Prescott", "Pinal", "Payson", "Paradise Valley/Eastern", "Navajo", "Mountain", "La Paz", "Goodyear/Western", "Deer Valley/Central","Coconino","Cochise","Buckeye" ;
int[] cust_count = new int[] int.Parse(TextBox11.Text), int.Parse(TextBox11.Text), int.Parse(TextBox12.Text), int.Parse(TextBox13.Text), int.Parse(TextBox14.Text), int.Parse(TextBox15.Text), int.Parse(TextBox16.Text), int.Parse(TextBox17.Text), int.Parse(TextBox18.Text), int.Parse(TextBox19.Text), int.Parse(TextBox20.Text), int.Parse(TextBox21.Text), int.Parse(TextBox22.Text), int.Parse(TextBox23.Text), int.Parse(TextBox24.Text), int.Parse(TextBox25.Text) ;
string[] dist_code = new string[] "YU","WG","VR","VP","PL","GP","PV","NN","GM","YP","YP","GY","DV","NC","CO","WB" ;
// Define SQL outside the loop with named parameter placeholders. This could even be const.
string sql = "INSERT INTO tempdivcustcount (dist_name,dist_code,cust_count,year) VALUES ( @DistName, @DistCode, @CustCount, @Year);";
// using blocks make sure the items are disposed, **even if an exception is thrown**
using (var con = new SqlConnection(_connectionString))
using (var sc1 = new SqlCommand(sql, con))
// I have to guess at types/lengths here.
// You should use the actual types and lengths to match the database columns
sc1.Paramerers.Add("@DistName", SqlDbType.NVarChar, 50);
sc1.Parameters.Add("@DistCode", SqlDbType.VarChar, 10);
sc1.Parameters.Add("@CustCount", SqlDbType.Int);
sc1.Parameters.Add("@Year", SqlDbType.Int).Value = int.Parse(thresholdYear.Text);
con.Open();
for (int i = 0; i < dist_name.Length; i++)
// Setting parameter values this way avoids issues with things like out-of-place apostrophe characters
sc1.Parameters["@DistName"].Value = dist_name[i];
sc1.Parameters["@DistCode"].Value = dist_code[i];
sc1.Parameters["@CustCount"].Value = cust_count[i];
sc1.ExecuteNonQuery();
// using block takes care of closing the connection
【讨论】:
以上是关于我尝试在 C# 中运行 sql 命令但出现错误的主要内容,如果未能解决你的问题,请参考以下文章
C#:通过 ADO.NET 在 SQL Server 2008 上运行事务
尝试在同一连接中运行多个命令时 C# Winforms Npgsql 3.0.5“操作已在进行中”错误