英文:
windows c# syntax error in insert statement
问题
我正在尝试向我的MS Access数据库添加数据,我观看了几乎所有的YouTube教程,但仍然在运行时出现错误。
private void btn_add_Click(object sender, EventArgs e)
{
try
{
conn.Open();
OleDbCommand cmd = conn.CreateCommand();
cmd.Connection = conn;
cmd.CommandText = "insert into Employee([Employee ID], Firstname, Lastname, Email, Username, [Password]) values('" + txt_employee_id.Text + "','" + txt_employee_firstname.Text + "','" + txt_employee_lastname.Text + "','" + txt_employee_email.Text + "','" + txt_employee_username.Text + "','" + txt_employee_password.Text + "')";
cmd.ExecuteNonQuery();
MessageBox.Show("Record Save", "Access Connected", MessageBoxButtons.OK, MessageBoxIcon.Information);
conn.Close();
}
catch (Exception ex)
{
MessageBox.Show(ex.Message, "Access Connected", MessageBoxButtons.OK, MessageBoxIcon.Information);
conn.Close();
}
}
请注意,我已将表中的字段名称用方括号括起来,并修改了Password字段的引用,以避免可能的冲突。
英文:
i am trying to add data to my ms access database I watch almost all yt tutorials but its still gives me an error on run time
private void btn_add_Click(object sender, EventArgs e)
{
try
{
conn.Open();
OleDbCommand cmd = conn.CreateCommand();
cmd.Connection = conn;
cmd.CommandText = "insert into Employee(Employee ID, Firstname, Lastname, Email, Username, Password)values('" + txt_employee_id.Text + "','" + txt_employee_firstname.Text + "','"
+ txt_employee_lastname.Text + "','" + txt_employee_email.Text + "','" + txt_employee_username.Text + "','" + txt_employee_password.Text + "')";
cmd.ExecuteNonQuery();
MessageBox.Show("Record Save", "Access Connected", MessageBoxButtons.OK, MessageBoxIcon.Information);
conn.Close();
}
catch(Exception ex)
{
MessageBox.Show(ex.Message, "Access Connected", MessageBoxButtons.OK, MessageBoxIcon.Information);
conn.Close();
}
}
答案1
得分: 1
Column names with spaces need to be enclosed in square brackets. Employee ID
cmd.CommandText = "INSERT INTO Employee([Employee ID], Firstname, Lastname, Email, Username, Password) VALUES (?, ?, ?, ?, ?, ?)";
cmd.Parameters.AddWithValue("@p1", txt_employee_id.Text);
cmd.Parameters.AddWithValue("@p2", txt_employee_firstname.Text);
cmd.Parameters.AddWithValue("@p3", txt_employee_lastname.Text);
cmd.Parameters.AddWithValue("@p4", txt_employee_email.Text);
cmd.Parameters.AddWithValue("@p5", txt_employee_username.Text);
cmd.Parameters.AddWithValue("@p6", txt_employee_password.Text);
cmd.ExecuteNonQuery();
And then use parameterized queries instead of concatenating strings to avoid SQL injection attacks.
The ? is a placeholder for parameter values. The parameter value will be passed in at runtime.
And the @p1, @p2, @p3, @p4, @p5, and @p6 are the parameter names, which are associated with their corresponding parameter values using the AddWithValue() method.
This is a common way of preparing SQL statements to avoid SQL injection attacks. You can read more about the SQL Parameters Property at 1.
英文:
Column names with spaces need to be enclosed in square brackets. Employee ID
cmd.CommandText = "INSERT INTO Employee([Employee ID], Firstname, Lastname, Email, Username, Password) VALUES (?, ?, ?, ?, ?, ?)";
cmd.Parameters.AddWithValue("@p1", txt_employee_id.Text);
cmd.Parameters.AddWithValue("@p2", txt_employee_firstname.Text);
cmd.Parameters.AddWithValue("@p3", txt_employee_lastname.Text);
cmd.Parameters.AddWithValue("@p4", txt_employee_email.Text);
cmd.Parameters.AddWithValue("@p5", txt_employee_username.Text);
cmd.Parameters.AddWithValue("@p6", txt_employee_password.Text);
cmd.ExecuteNonQuery();
And then use parameterized queries instead of concatenating strings to avoid SQL injection attacks.
The ? is a placeholder for parameter values. The parameter value will be passed in at runtime.
And the @p1, @p2, @p3, @p4, @p5, and @p6 are the parameter names, which are associated with their corresponding parameter values using the AddWithValue() method.
This is a common way of preparing SQL statements to avoid SQL injection attacks. You can read more about the SQL Parameters Property
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论