我尝试在 C# 中运行 sql 命令但出现错误

Posted

技术标签:

【中文标题】我尝试在 C# 中运行 sql 命令但出现错误【英文标题】:i am try to run sql command in c# but getting errors 【发布时间】:2021-11-15 03:56:24 【问题描述】:

我正在尝试通过在我的 .net 项目中使用 insert 命令将值插入到 db

命令:

string[] dist_name = new string[]  "Yuma", "Wickenburg", "Verde", "Prescott", "Pinal", "Payson", "Paradise Valley/Eastern", "Navajo", "Mountain", "La Paz", "Goodyear/Western", "Deer Valley/Central","Coconino","Cochise","Buckeye" ;

int[] cust_count = new int[]  int.Parse(TextBox11.Text), int.Parse(TextBox11.Text), int.Parse(TextBox12.Text), int.Parse(TextBox13.Text), int.Parse(TextBox14.Text), int.Parse(TextBox15.Text), int.Parse(TextBox16.Text), int.Parse(TextBox17.Text), int.Parse(TextBox18.Text), int.Parse(TextBox19.Text), int.Parse(TextBox20.Text), int.Parse(TextBox21.Text), int.Parse(TextBox22.Text), int.Parse(TextBox23.Text), int.Parse(TextBox24.Text), int.Parse(TextBox25.Text) ;
       
 string[] dist_code = new string[]  "YU","WG","VR","VP","PL","GP","PV","NN","GM","YP","YP","GY","DV","NC","CO","WB" ;
        
        SqlConnection con = new SqlConnection(_connectionString);
        con.Open();
        
        for (int i = 0; i < dist_name.Length; i++) 

            SqlCommand sc1 = new SqlCommand("insert into tempdivcustcount(dist_name,dist_code,cust_count,year) Values("+dist_name[i]+","+dist_code[i]+","+cust_count[i]+","+int.Parse(thresholdYear.Text)+") ", con);
            object o1 = sc1.ExecuteNonQuery();
            

但是当我运行它时,我得到了这个错误: “无效的列名“YUMA” "无效的 column_name "YU"

“Yuma”和“Yu”将作为记录插入到我的数据库中 请让我知道如何解决它。 感谢您的帮助

【问题讨论】:

了解如何编写参数化查询。此代码未插入 YUMA 值 您必须在 SQL 中的字符串文字周围加上单引号,但是,正如您 @Steve 指出的那样,正确参数化您的 sql 将解决问题并使您免受潜在的 sql 注入攻击。 关于副本:小心使用 AddWithValue。它很便宜,但它可能会导致比已解决的问题更多的问题。 你能给我举个例子吗? 你读过副本吗?这实际上是你的问题 【参考方案1】:

哎呀!这看起来很容易受到 sql 注入问题的影响。试试这个:

// Not a fan of matching arrays by index, but that's an issue for another day.
string[] dist_name = new string[]  "Yuma", "Wickenburg", "Verde", "Prescott", "Pinal", "Payson", "Paradise Valley/Eastern", "Navajo", "Mountain", "La Paz", "Goodyear/Western", "Deer Valley/Central","Coconino","Cochise","Buckeye" ;
int[] cust_count = new int[]  int.Parse(TextBox11.Text), int.Parse(TextBox11.Text), int.Parse(TextBox12.Text), int.Parse(TextBox13.Text), int.Parse(TextBox14.Text), int.Parse(TextBox15.Text), int.Parse(TextBox16.Text), int.Parse(TextBox17.Text), int.Parse(TextBox18.Text), int.Parse(TextBox19.Text), int.Parse(TextBox20.Text), int.Parse(TextBox21.Text), int.Parse(TextBox22.Text), int.Parse(TextBox23.Text), int.Parse(TextBox24.Text), int.Parse(TextBox25.Text) ;      
string[] dist_code = new string[]  "YU","WG","VR","VP","PL","GP","PV","NN","GM","YP","YP","GY","DV","NC","CO","WB" ;

// Define SQL outside the loop with named parameter placeholders. This could even be const.
string sql = "INSERT INTO tempdivcustcount (dist_name,dist_code,cust_count,year) VALUES ( @DistName, @DistCode, @CustCount, @Year);";

// using blocks make sure the items are disposed, **even if an exception is thrown**
using (var con = new SqlConnection(_connectionString))
using (var sc1 = new SqlCommand(sql, con)) 

    // I have to guess at types/lengths here.
    // You should use the actual types and lengths to match the database columns
    sc1.Paramerers.Add("@DistName", SqlDbType.NVarChar, 50);
    sc1.Parameters.Add("@DistCode", SqlDbType.VarChar, 10);
    sc1.Parameters.Add("@CustCount", SqlDbType.Int);
    sc1.Parameters.Add("@Year", SqlDbType.Int).Value = int.Parse(thresholdYear.Text);

    con.Open();
    for (int i = 0; i < dist_name.Length; i++) 
    
        // Setting parameter values this way avoids issues with things like out-of-place apostrophe characters
        sc1.Parameters["@DistName"].Value = dist_name[i];
        sc1.Parameters["@DistCode"].Value = dist_code[i];
        sc1.Parameters["@CustCount"].Value = cust_count[i];
        sc1.ExecuteNonQuery();
    
  // using block takes care of closing the connection    

【讨论】:

以上是关于我尝试在 C# 中运行 sql 命令但出现错误的主要内容,如果未能解决你的问题,请参考以下文章

C#:通过 ADO.NET 在 SQL Server 2008 上运行事务

尝试在同一连接中运行多个命令时 C# Winforms Npgsql 3.0.5“操作已在进行中”错误

运行Enable-SqlAlwaysOn时设置SQL HA获取找不到路径错误

构建失败并出现错误错误代码 72 命令:xcrun

C#中出现的错误

从 Mono C# 运行 Bash 命令