我真的需要帮助解决这个错误,我是C#的新手,所以它可能是一个明显的错误,也可能不是。
错误为
System.Data.SqlClient.SqlException:"("附近的语法不正确
它出现在:
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Windows.Forms;
using System.Data.SqlClient; //allows a secure link between the button on add user and the database
namespace inventory_management_coding
{
public partial class Add_New_User : Form
{
SqlConnection con = new SqlConnection(@"Data Source=(LocalDB)MSSQLLocalDB;AttachDbFilename=C:UsersSarwanDesktopcomputer science coding courseworkinventory management codingInventory.mdf;Integrated Security=True"); // this is a connection string so it sets the variable con with the database file that is exactly in that file location
public Add_New_User()
{
InitializeComponent();
}
private void button1_Click(object sender, EventArgs e)
{
int i = 0;
SqlCommand cmd = con.CreateCommand();
cmd.CommandType = CommandType.Text;
cmd.CommandText = "select * from Registration where username = '" + textBox3.Text + "'"; //this gets information from my database. Textbox 3 is the username textbox
cmd.ExecuteNonQuery(); // This is used for executing queries that do not return any data.
DataTable dt = new DataTable();
SqlDataAdapter da = new SqlDataAdapter(cmd); // allows access to the database
da.Fill(dt);
i = Convert.ToInt32(dt.Rows.Count.ToString());
if (i == 0) //allows us to pass through sub query
{
SqlCommand cmd1 = con.CreateCommand();
cmd1.CommandType = CommandType.Text;
cmd1.CommandText = "Insert into registeration ('"+ textBox1.Text +"','"+ textBox2.Text +"','"+ textBox3.Text +"','"+ textBox4.Text +"','"+ textBox5.Text +"')"; //This allows data to be entere into the database. Text box 1,2,3,4,5 are linked to firstname, lastname etc
cmd1.ExecuteNonQuery();
textBox1.Text = ""; textBox2.Text = "";
textBox3.Text = ""; textBox4.Text = "";
textBox5.Text = ""; // these allow the parameters to be passed through
MessageBox.Show("user record inserted successfully");
}
else
{
MessageBox.Show("This username already exists, please choose another"); // this would be an invalid statement for choosing a same username. They must be Unique!
}
}
private void Add_New_User_Load(object sender, EventArgs e)
{
if (con.State == ConnectionState.Open) //this section of code is vital in all areas to allow the program to automatically connect to the database. Con is the linking variable.
{
con.Close();
}
con.Open();
}
}
}
我真的需要帮助,上面说语法是"(",但我不喜欢正确的解决方案。它发生在以下行:
cmd1.ExecuteNonQuery();
插入行的命令文本缺少一些信息。
您当前有
cmd1.CommandText = "Insert into registeration ('"+ textBox1.Text +"','"+ textBox2.Text +"','"+ textBox3.Text +"','"+ textBox4.Text +"','"+ textBox5.Text +"')"; //This allows data to be inputted in the database. Text box 1,2,3,4,5 are linked to firstnale, lastname etc
但是Insert into命令的语法是
INSERT INTO table_name (column1, column2, column3, ...)
VALUES (value1, value2, value3, ...);
您跳过了指定要为其插入值的列的名称。你还没有给我们足够的信息来知道你的列名是什么,但你的代码行应该是这样的:
//This allows data to be inputted in the database. Text box 1,2,3,4,5 are linked to firstnale, lastname etc
cmd1.CommandText = "Insert into registeration (column1, column2, column3, column4, column5) VALUES ('"+ textBox1.Text +"','"+ textBox2.Text +"','"+ textBox3.Text +"','"+ textBox4.Text +"','"+ textBox5.Text +"')";
其中column1, column2, column3, column4, column5被替换为列的实际名称。
当您在C#代码中发现SQL异常时,尝试在一个单独的变量中构建字符串,然后将其传递给CommandText,这样您就可以遍历代码并进行调试,并可能剪切&将整个连接字符串粘贴到查询窗口中,这样您就可以从应用程序中单独运行和调试SQL。
顺便说一句,您需要对SQL注入攻击进行一些研究,因为通过直接从用户输入框构建SQL命令,您在很大程度上暴露了此漏洞