1

我正在尝试从 c# 窗口窗体插入记录以访问 2007 数据库,但我收到此错误 -

错误:INSERT INTO 语句中的语法错误。System.Data.dll 中出现“System.Data.OleDb.OleDbException”类型的第一次机会异常

但我没有看到我的代码有任何问题-

                try
            {
                string sday = "Sun";
                s1 = comboBox180.SelectedItem.ToString();
                t1 = comboBox10.SelectedItem.ToString();
                d1 = comboBox17.SelectedItem.ToString();
                string bla="XYZ";
                aCommand5 = new OleDbCommand("INSERT INTO weekly(batch_code,day,period_no,teacher1,time1,teacher2,time2,teacher3,time3,teacher4,time4,teacher5,time5,teacher6,time6,teacher7,time7,teacher8,time8,teacher9,time9,teacher10,time10,teacher11,time11,teacher12,time12) VALUES ('" + code + "','" +sday+"','" + no_of_period + "','" + t1 + "','" + d1 + "','"+bla+"','"+bla+"','"+bla+"','"+bla+"','"+bla+"','"+bla+"','"+bla+"','"+bla+"','"+bla+"','"+bla+"','"+bla+"','"+bla+"','"+bla+"','"+bla+"','"+bla+"','"+bla+"','"+bla+"','"+bla+"','"+bla+"','"+bla+"','"+bla+"','"+bla+"')", main_connection);
                int check = aCommand5.ExecuteNonQuery();
                if (check == 1)
                {
                    MessageBox.Show("Data Saved");
                }
            }
            catch (OleDbException oldex)
            {
                Console.WriteLine("Error: {0}", oldex.Errors[0].Message);

            }

t1 和 d1 都是字符串变量。

4

2 回答 2

1

首先,您应该始终使用参数化查询。这种代码对SQL 注入攻击是开放的。

其次,DAY它是MS Access 2007的保留关键字[day]。您应该将它与方括号一起使用,例如;

aCommand5 = new OleDbCommand("INSERT INTO weekly(batch_code, [day], period_no, teacher1, time1, teacher2, time2, teacher3, time3, teacher4, time4, teacher5, time5, teacher6, time6, teacher7, time7, teacher8, time8, teacher9, time9, teacher10, time10, teacher11, time11, teacher12, time12) 
                              VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)",
                              main_connection);

 aCommand5.Parameters.AddWithValue("@p1", code);
 aCommand5.Parameters.AddWithValue("@p2", sday);
 aCommand5.Parameters.AddWithValue("@p3", no_of_period);
 aCommand5.Parameters.AddWithValue("@p4", t1);
 aCommand5.Parameters.AddWithValue("@p5", d1);
 aCommand5.Parameters.AddWithValue("@p6", bla);
 aCommand5.Parameters.AddWithValue("@p7", bla);
 aCommand5.Parameters.AddWithValue("@p8", bla);
 aCommand5.Parameters.AddWithValue("@p9", bla);
 aCommand5.Parameters.AddWithValue("@p10", bla);
 aCommand5.Parameters.AddWithValue("@p11", bla);
 aCommand5.Parameters.AddWithValue("@p12", bla);
 aCommand5.Parameters.AddWithValue("@p13", bla);
 aCommand5.Parameters.AddWithValue("@p14", bla);
 aCommand5.Parameters.AddWithValue("@p15", bla);
 aCommand5.Parameters.AddWithValue("@p16", bla);
 aCommand5.Parameters.AddWithValue("@p17", bla);
 aCommand5.Parameters.AddWithValue("@p18", bla);
 aCommand5.Parameters.AddWithValue("@p19", bla);
 aCommand5.Parameters.AddWithValue("@p20", bla);
 aCommand5.Parameters.AddWithValue("@p21", bla);
 aCommand5.Parameters.AddWithValue("@p22", bla);
 aCommand5.Parameters.AddWithValue("@p23", bla);
 aCommand5.Parameters.AddWithValue("@p24", bla);
 aCommand5.Parameters.AddWithValue("@p25", bla);
 aCommand5.Parameters.AddWithValue("@p26", bla);
 aCommand5.Parameters.AddWithValue("@p27", bla);

 aCommand5.ExecuteNonQuery();
于 2013-05-16T07:57:18.430 回答
0

语法错误的来源是单词 DAY。它是 MS-Access 2007 中的保留关键字,因此,您需要用方括号将其封装起来

 aCommand5 = new OleDbCommand("INSERT INTO weekly(batch_code,[day],.....")

但是,让我说这是我见过的最糟糕的字符串连接情况。不要使用字符串连接来构建 sql 查询,使用 ALWAYS 参数化查询

这是使用参数化查询构建 sql 语句的示例

 aCommand5 = new OleDbCommand("INSERT INTO weekly (batch_code,day,period_no,teacher1,time1," +
                              "teacher2,time2,teacher3,time3,teacher4,time4, " + 
                              "teacher5,time5,teacher6,time6,teacher7,time7,teacher8,time8,"+
                              "teacher9,time9,teacher10,time10,teacher11,time11,teacher12,time12)"+
                              "VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?",
                              main_connection);

 aCommand5.Parameters.AddWithValue("@p1", code);
 aCommand5.Parameters.AddWithValue("@p2", sday);
 .... and so on for the other 25 parameters
 .....
 aCommand5.ExecuteNonQuery();

这样,您将正确解析值的工作留给框架代码,避免单引号、小数点、日期格式等的语法错误。但您也避免了Sql 注入问题

注意该字段的正确数据库类型。如果您有字段数字或日期时间,请记住对使用 AddWithValue 传递给数据库的值调用适当的 Convert.ToXXXX

于 2013-05-16T07:49:22.177 回答