插入數據庫

Question

我已經確定一切都與數據庫中的列類型有關，但我不斷收到SQLCeException。任何人都可以告訴我這段代碼有什麼問題嗎？

private void ANDPaddDriverButton_Click(object sender, EventArgs e) 
{ 
    string first = ANDPfirstNametextBox.Text; 
    string last = ANDPlastNametextBox.Text; 
    string mid = textBox5.Text; 
    string phone = ANDPphonetextBox.Text; 
    string social = ANDPsSNtextBox.Text; 
     // EmployeeType="Employee" 
    string city = ANDPCityTextbox.Text; 
    string state = ANDPStatetextBox.Text; 
    string zip = ANDPzipCodetextbox.Text; 
    string email = ANDPemailtextBox.Text; 
    string address = ANDPaddressTextBox.Text; 
    string user = userName.Text; 

    DBConn.Open(); 
    SqlCeCommand cmd = new SqlCeCommand("INSERT INTO [Employee Table] VALUES (" + 
      first + "," + last + "," + mid + "," + address + "," + phone + "," + social + "," 
       + "Employee" + "," + city + "," + state + "," + zip + "," + email + "," + userName + ")", DBConn); 
    cmd.ExecuteNonQuery(); 
    DBConn.Close(); 
} 

Answer 1

您的string/varchar類型的字段應用單引號引起來！

SqlCeCommand cmd = new SqlCeCommand("INSERT INTO [Employee Table] VALUES (" + 
    "'" + first + "'," 

等等...

而且，別人已經評論你要你的代碼極大地暴露於SQL注入攻擊

Answer 2

由於洛倫佐表示，該字符串值必須是用單引號括起來，但是請閱讀this page這就解釋了爲什麼你不應該用這種方式建立一個查詢，並告訴你如何用參數來完成。

Answer 3

使用參數來防止SQL注入和列名稱，因爲您依賴於數量和表格列的順序，它將來可能會改變（我在猜測列名稱）：

SqlCeCommand cmd = new SqlCeCommand("INSERT INTO [Employee Table] (First, Last, Mid, Address, Phone, Social, Employee, City, State, Zip, Email, UserName) VALUES (@First, @Last, @Mid, @Address, @Phone, @Social, @Employee, @City, @State, @Zip, @Email, @UserName)", DBConn); 
cmd.Parameters.AddWithValue("@First", first); 
cmd.Parameters.AddWithValue("@Last", last); 
cmd.Parameters.AddWithValue("@Mid", mid); 
cmd.Parameters.AddWithValue("@Address", address); 
cmd.Parameters.AddWithValue("@Phone", phone); 
// etc. each column 

順便說盡量不要使用表空間和列名;-)