從asp.net中的表單插入表格

Question

我有一個頁面，您可以填寫一些信息，並根據該信息向數據庫插入新行。這裏是一個充滿形式的截圖：

這裏是我的代碼，點擊提交按鈕，當插入到數據庫：

protected void CreateCourseButton_Click(object sender, EventArgs e) 
{ 
    SqlConnection con = new SqlConnection(); 
    con.ConnectionString = "Data Source=.\\SQLEXPRESS;Initial Catalog=University;Integrated Security=True;Pooling=False"; 

    string query1 = "insert into Courses(CRN,CourseName,StudyLevel,Capacity,Instructor,Credits,Prerequisite) values (" 
     + courseID.Text + "," + courseName.Text + "," + studyLevel.SelectedValue + "," + capacity.Text + "," + "Admin," + credits.Text + "," + prereq.Text + ")"; 



    SqlCommand cmd1 = new SqlCommand(query1, con); 
    con.Open(); 
    cmd1.ExecuteNonQuery(); 
    con.Close(); 
} 

的問題是，我得到以下錯誤，當我點擊提交：34

Server Error in '/Bannerweb' Application. 

Incorrect syntax near the keyword 'to'. 

Description: An unhandled exception occurred during the execution of the current web  
request. Please review the stack trace for more information about the error and where 
it originated in the code. 

Exception Details: System.Data.SqlClient.SqlException: Incorrect syntax near the 
keyword 'to'. 

Source Error: 


Line 32:   SqlCommand cmd1 = new SqlCommand(query1, con); 
Line 33:   con.Open(); 
Line 34:   cmd1.ExecuteNonQuery(); 
Line 35:   con.Close(); 
Line 36:  } 

Source File: c:\Banner\Bannerweb\Pages\CreateCourse.aspx.cs Line: 34 

Stack Trace: 


[SqlException (0x80131904): Incorrect syntax near the keyword 'to'.] 
    System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean  
breakConnection) +2084930 
    System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean  
breakConnection) +5084668 
    System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning() +234 
    System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, 
SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject 
stateObj) +2275 
    System.Data.SqlClient.SqlCommand.RunExecuteNonQueryTds(String methodName, Boolean 
async) +228 
    System.Data.SqlClient.SqlCommand.InternalExecuteNonQuery(DbAsyncResult result,  
String methodName, Boolean sendToPipe) +326 
    System.Data.SqlClient.SqlCommand.ExecuteNonQuery() +137 
    CreateCourse.CreateCourseButton_Click(Object sender, EventArgs e) in 
c:\Banner\Bannerweb\Pages\CreateCourse.aspx.cs:34 
    System.Web.UI.WebControls.Button.OnClick(EventArgs e) +118 
    System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) +112 

線路是：

cmd1.ExecuteNonQuery(); 

任何人都可以幫我解決這個錯誤嗎？

感謝

Answer 1

修改您Insert查詢像

string query1 = "insert into Courses(CRN,CourseName,StudyLevel,Capacity,Instructor,Credits,Prerequisite) values (" 
     + courseID.Text + ",'" + courseName.Text + "'," + studyLevel.SelectedValue + "," + capacity.Text + "," + "Admin," + credits.Text + "," + prereq.Text + ")"; 

問題二

如果它是保存然後ExecuteNonQuery將返回1其他0，所以通過使用返回的值，你可以檢查並應用條件。

希望你能理解。

Answer 2

看起來你需要添加周圍​​報價。同樣使用SQL parameterized queries，所以你不容易受到SQL Injection的影響。

'" + courseName.Text + "' 

將評估爲：

'Intro to comp' 

http://johnhforrest.com/2010/10/parameterized-sql-queries-in-c/

Answer 3

你要通過所有的控制值內'更新您的SQL查詢是這樣的：

string query1 = "insert into 
Courses(CRN,CourseName,StudyLevel,Capacity,Instructor,Credits,Prerequisite) values ("+ 
"'" + courseID.Text + "'" + "," + "'" + courseName.Text + "'" + "," + 
"'" + studyLevel.SelectedValue + "'" + "," + "'" + capacity.Text + "'" + 
"," + "'Admin'," + "'" + credits.Text + "'" + "," + "'"+prereq.Text +"'" + ")"; 

//返回受查詢影響的行數

int a= cmd1.ExecuteNonQuery(); 
if(a>0) 
{ 
//inserted 
} 
else 
{ 
//not inserted 
} 

檢查here瞭解更多詳情。

Answer 4

發生此錯誤是因爲缺少插入值之間的''''。不管怎麼說最好的方法是使用Parameters收集這樣的：

string query1 = "insert into Courses(CRN,CourseName,StudyLevel,Capacity,Instructor,Credits,Prerequisite) values (@crn, @cursename, @studylevel, @capacity, @instructor, @credits, @prerequesite)"; 

SqlCommand cmd1 = new SqlCommand(query1, con); 
cmd1.Parameters.AddWithValue("@crn", courseID.Text); 
//add the rest 

con.Open(); 
cmd1.ExecuteNonQuery(); 
con.Close(); 

Answer 5

這個錯誤可能是從Course name場，在那裏你必須在值空間來。只需修復它，您可以將TextBoxes的值包裝爲'字符。

但是，這是一個巨大的安全漏洞。如今，您必須使用參數，如您插入必須像：

SqlConnection con = new SqlConnection(); 
con.ConnectionString = "..."; 

string query1 = "insert into Courses(CRN,CourseName,StudyLevel,Capacity,Instructor,Credits,Prerequisite)"+ 
    " values (@CRN, @CourseName, ...)"; 



SqlCommand cmd1 = new SqlCommand(query1, con); 

// Insert parameters 
cmd1.Parameters.AddWithValue("@CRN",courseID.Text); 
... 

con.Open(); 
cmd1.ExecuteNonQuery(); 
con.Close(); 

您必須使用參數來保護自己免受SQL注入攻擊。

Answer 6

試試這個

string query1 = "insert into Courses(CRN,CourseName,StudyLevel,Capacity,Instructor,Credits,Prerequisite) 
     values ('"+ courseID.Text +"','"+ courseName.Text + "','" + studyLevel.SelectedValue +"', '" + capacity.Text +"','" + "Admin" +"','"+credits.Text + "','" + prereq.Text +"') "; 

你的查詢語法是完全錯誤的。

Answer 7

protected void Button1_Click(object sender, EventArgs e) 
    { 
     SqlConnection conn = new SqlConnection("Data Source=D1-0221-37-393\\SQLEXPRESS;Initial Catalog=RSBY;User ID=sa;Password=BMW@721"); 
     conn.Open(); 
     string EmployeeId = Convert.ToString(TextBox1.Text); 
     string EmployeeName = Convert.ToString(TextBox2.Text); 
     string EmployeeDepartment = Convert.ToString(DropDownList1.SelectedValue); 
     string EmployeeDesignation = Convert.ToString(DropDownList2.SelectedValue); 
     string DOB = Convert.ToString(TextBox3.Text); 
     string DOJ = Convert.ToString(TextBox4.Text); 
     SqlCommand cmd = new SqlCommand("insert into Employeemaster values('" + EmployeeId + "','" + EmployeeName + "','" + EmployeeDepartment + "','" + EmployeeDesignation + "','" + DOB + "','" + DOJ + "')", conn); 
     cmd.ExecuteNonQuery(); 

    }