更新时间:2023-02-03 22:59:01
调试代码,并在运行时检查在sb
中形成的Insert语句是什么.
看看下面的" SQL插入"语法链接.
http://www.w3schools.com/sql/sql_insert.asp
Debug your code and check what is the Insert statement gets formed insb
at run-time.
Have a look at below link for "SQL Insert" syntax.
http://www.w3schools.com/sql/sql_insert.asp
使用参数化查询来防止SQL注入
使用参数化查询来防止SQL注入攻击在SQL Server中 [ ^ ]
还请小心使用 SQL Server保留关键字 [ ^ ],使用正方形字段名称&的方括号[].表名.
而且您的代码是错误的,请尝试一下.
Prevent SQL injection by using parametrized queries
Using Parameterized queries to prevent SQL Injection Attacks in SQL Server[^]
Also careful with SQL Server Reserved Keywords[^], Use Square brackets[] for the field names & table names.
And your code is wrong, try this.
const string insertsql = "INSERT INTO Items(Description,ItemNo,Qty)VALUES";
sb.AppendFormat("{0}",insertsql);
foreach (string item in sc)
{
if (item.Contains(","))
{
splitItems = item.Split(",".ToCharArray());
sb.AppendFormat("'{0}','{1}','{2}');",splitItems[0], splitItems[1], splitItems[2]);
}
}
但是使用参数化查询
But use parametrized queries
错误描述说,您正在执行的查询不完整.INSERT INTO Items(Description,ItemNo,Qty)VALUES
正确的查询应该是INSERT INTO Items(Description,ItemNo,Qty)VALUES(''desc1'',''item1'',''qty1'');
为什么您的查询的值部分为空白... ???而且也没有括号!
检查您的循环,并在需要的地方添加检查条件...应该没有空白查询:) :)
调试它,并在执行之前获取命令字符串..在程序执行之前,尝试在sql内部执行它.
希望您能尽快发现自己的错误:)
the error description says, you are executing an incomplete query.. i.e.INSERT INTO Items(Description,ItemNo,Qty)VALUES
the right query should beINSERT INTO Items(Description,ItemNo,Qty)VALUES(''desc1'',''item1'',''qty1'');
why your query''s value part is blank... ??? and there are no brackets too!!!
check your loopings and, add check conditions where required... there should be no blank queries :) :)
debug it, and get the command string before it executes.. try to execute it inside the sql before the programe executes it..
hope you notice your mistake soon :)