我正在azure中调用web服务,并使用以下方法填充DB。我不知道怎么了。
using (SqlConnection conn = new SqlConnection(cs))
{
using (SqlCommand command = conn.CreateCommand())
{
conn.Open();
string cmdText = String.Format("INSERT INTO UserFiles VALUES('" + obj.userRef.ToString() + "','name','name','name','name','name','name'");
command.CommandText = cmdText;
command.ExecuteNonQuery();
conn.Close();
}
}
这是错误信息:
System.Data.SqlClient。SqlException (0x80131904):语法错误附近的"名字"。
在System.Data.SqlClient.SqlConnection。OnError (SqlException异常,断开连接,动作
1 wrapCloseInAction)(wrapCloseInAction)
at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection, Action
System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning (TdsParserStateObjectstatobj, Boolean callerHasConnectionLock, Boolean asyncClose)
在System.Data.SqlClient.TdsParser。TryRun (RunBehavior RunBehavior,SqlCommand cmdHandler, SqlDataReader dataStreamBulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObjectstateObj Boolean&dataReady)
在System.Data.SqlClient.SqlCommand.RunExecuteNonQueryTds(字符串methodName, Boolean async, Int32 timeout)
在System.Data.SqlClient.SqlCommand.InternalExecuteNonQuery (TaskCompletionSource"1sendToPipe, Int32超时;布尔asyncWrite)
在System.Data.SqlClient.SqlCommand.ExecuteNonQuery ()
在_4900ProjectDesktopInterface.Form1。uploadbutton_Click(对象发送方,EventArgs e) in4900 projectdesktopinterface C:UsersKenDocumentsGitHub MegaFileUploadConversionService TestingTool Form1.cs:行152 r nClientConnectionId: fb95122f - 415 b - 484 d - 9438 - 903 - f0bf2aad0"
您的cmdText需要在末尾再加一个);
using (SqlConnection conn = new SqlConnection(cs))
{
using (SqlCommand command = conn.CreateCommand())
{
conn.Open();
string cmdText = String.Format("INSERT INTO UserFiles VALUES(@userRef, @name1, @name2, @name3, @name4, @name5, @name6)");
command.Parameters.AddVithValue("@userRef", obj.userRef.ToString());
command.Parameters.AddVithValue("@name1", name);
command.Parameters.AddVithValue("@name2", name);
command.Parameters.AddVithValue("@name3", name);
command.Parameters.AddVithValue("@name4", name);
command.Parameters.AddVithValue("@name5", name);
command.Parameters.AddVithValue("@name6", name);
command.CommandText = cmdText;
command.ExecuteNonQuery();
conn.Close();
}
}
正如我在评论中所说,您应该始终使用参数化查询。您的代码对SQL注入攻击是开放的
using (SqlConnection conn = new SqlConnection(cs))
{
using (SqlCommand command = conn.CreateCommand())
{
conn.Open();
string cmdText = String.Format("INSERT INTO UserFiles VALUES('" + obj.userRef.ToString() + "','name','name','name','name','name','name')");
command.CommandText = cmdText;
command.ExecuteNonQuery();
conn.Close();
}
}
你忘了右括号
看起来您没有终止值的左括号?为什么要使用String.Format?你可以去掉conn。close,因为使用语句的将隐式执行此操作。
using (SqlConnection conn = new SqlConnection(cs))
{
using (SqlCommand command = conn.CreateCommand())
{
conn.Open();
string cmdText = "INSERT INTO UserFiles VALUES('" + obj.userRef.ToString() + "','name','name','name','name','name','name')";
command.CommandText = cmdText;
command.ExecuteNonQuery();
}
}