0

我收到语法错误。

字符字符串 'OKWhere UerName=Sam' 后的未闭合四分号。'OKWhere UserName=sam' 附近的 Sysntax 不正确。

代码:

cmd.CommandText = "UPDATE SystemInfo SET" + " UserName='" + UserName + "',
UserDomainName='" + UserDomainName + "',UserMachineName='" + UserMachineName 
+"',UserIP='" + UserIP + "', UserOsVersion='" + UserOsVersion + 
"',UserSystemDirectory='" + UserSystemDirectory + "',UserCurrentDirectory='" + 
UserCurrentDirectory + "', ProcessorName='" + ProcessorName + "', 
ProcessMnufacturer='" + ProcessMnufacturer + "',ProcessorID='" + ProcessorID + 
"',ProcessorDescription='" + ProcessorDescription + "',ProcessorVersion='" + 
ProcessorVersion + "',ProcessorStatus='" + ProcessorStatus + "',ProcessorDeviceId='" + 
ProcessorDeviceId + "', OSCaption='" + OSCaption + "',OSSerialNumber='" +  
SSerialNumber + "',OSManufacturer ='" + OSManufacturer + "',OSVersion='" + OSVersion + 
"', OSStatus='" + OSStatus + "',OSName='" + OSName + "', BiosName='" + BiosName + 
"',BiosVersion='" + BiosVersion + "',BiosSerialNumber='" + BiosSerialNumber + "', 
BiosManufacturer='" + BiosManufacturer + "',BiosCurrentlanguage='" + 
BiosCurrentlanguage + "', BiosStatus='" + BiosStatus + "Where UserName=" + 
UserName.ToString ();
4

3 回答 3

6 
BiosStatus + "Where UserName="

您需要在子句之前有一个空格WHERE并在 周围添加引号UserName,它应该如下所示:

BiosStatus + " Where UserName='" + UserName.ToString() + "'"

作为附加说明,请尝试使用参数化查询。这将防止SQL Injection攻击。您可以通过执行以下操作来实现此目的:

command.CommandText = "UPDATE TABLE " +  
         "SET BiosStatus = $BiosStatus, BiosManufacturer = $BiosManufacturer " +  
         "WHERE UserName = $UserName";  

 command.Parameters.AddWithValue("$BiosStatus", BiosStatus);  
 command.Parameters.AddWithValue("$BioManufacturer", BiosManufacturer);  
 command.Parameters.AddWithValue("$UserName", UserName);
于 2013-06-17T10:31:13.587 回答
1

参数。总是总是参数。实际上,由于所有输入似乎都是当前实例 ( this) 的属性,因此“dapper”之类的工具可以真正帮助您:

conn.Execute(@"UPDATE SystemInfo SET
UserName=@UserName,
UserDomainName=@UserDomainName,
UserMachineName=@UserMachineName,
UserIP=@UserIP,
-- ...lots skipped...
BiosCurrentlanguage=@BiosCurrentlanguage,
BiosStatus=@BiosStatus
Where UserName=@UserName", this);

作为this第二个参数,使用SQL 中存在的当前实例的所有属性来添加参数,因此它将添加@UserName,@UserDomainName等...

您当然可以使用原始 ADO.NET 手动执行相同的操作 - 这只是更多的工作:

cmd.CommandText = @"UPDATE SystemInfo SET
UserName=@UserName,
UserDomainName=@UserDomainName,
UserMachineName=@UserMachineName,
UserIP=@UserIP,
-- ...lots skipped...
BiosCurrentlanguage=@BiosCurrentlanguage,
BiosStatus=@BiosStatus
Where UserName=@UserName";
cmd.Parameters.AddWithValue("UserName", ((object)UserName) ?? DBNull.Value);
cmd.Parameters.AddWithValue("UserDomainName", ((object)UserDomainName) ?? DBNull.Value);
// ...lots skipped...
cmd.Parameters.AddWithValue("BiosCurrentlanguage", ((object)BiosCurrentlanguage) ?? DBNull.Value);
cmd.Parameters.AddWithValue("BiosStatus", ((object)BiosStatus) ?? DBNull.Value);
cmd.ExecuteNonQuery();
于 2013-06-17T10:41:10.787 回答
-2

尝试纠正

形式

BiosStatus + "Where UserName="


BiosStatus + " Where UserName='"+  UserName.ToString ()+ "'";
于 2013-06-17T10:34:39.710 回答