static public void updateSelectedCaravan(string make, string model, string birth, string year, string Int, string ext, string width, string Unladen, string mtplm, string warranty, string freeText, string price, string location, string Tel, string Email, int makeID, string description)
{
SqlConnection conn = new SqlConnection(ConnectionString);
conn.Open();
SqlCommand updateNews = new SqlCommand("Update [productDetail] SET [make] =@make , [model] = @model , [Berth] = @birth , [Year] = @year , [InternalLength] = @Int , [ExternalLength] = @ext, [Width] = @width , [UnladenWeight] = @Unladen , [MTPLM] = @mtplm , [Warranty] = @warranty , [FreeTextDetails] = @freeText , [Price] = @price , [Location] = @location , [Tel] = @Tel , [Email] = @Email , [description] = @description where [makeID] = @makeID", conn);
updateNews.Parameters.AddWithValue("@make", make);
updateNews.Parameters.AddWithValue("@model", model);
updateNews.Parameters.AddWithValue("@birth", birth );
updateNews.Parameters.AddWithValue("@year", year);
updateNews.Parameters.AddWithValue("@Int", Int);
updateNews.Parameters.AddWithValue("@ext", ext);
updateNews.Parameters.AddWithValue("@width", width);
updateNews.Parameters.AddWithValue("@Unladen", Unladen);
updateNews.Parameters.AddWithValue("@mtplm", mtplm);
updateNews.Parameters.AddWithValue("@warranty",warranty);
updateNews.Parameters.AddWithValue("@freeText", freeText);
updateNews.Parameters.AddWithValue("@price", price);
updateNews.Parameters.AddWithValue("@location", location);
updateNews.Parameters.AddWithValue("@Tel", Tel);
updateNews.Parameters.AddWithValue("@Email",Email );
updateNews.Parameters.AddWithValue("@description",description );
updateNews.Parameters.AddWithValue("@makeID", makeID);
updateNews.ExecuteNonQuery();
conn.Close();
}
The above query doesnt works works it gives an error Incorrect syntax near '8', It was working fine before but I dont know for what reason it has stopped working , i have debugged d query and its passing all the required values.
上面的查询不起作用它给出错误'8'附近的语法错误,它之前工作正常,但我不知道它已停止工作的原因,我调试了d查询并传递了所有必需的值。
4 个解决方案
#1
1
Stop creating your own SQL queries. It's vulnerable to SQL Injection attacks. Use parameterized expressions instead, and you won't have to deal with these parameter errors anymore.
停止创建自己的SQL查询。它容易受到SQL注入攻击。使用参数化表达式,您将不再需要处理这些参数错误。
SqlCommand cmd = new SqlCommand("UPDATE productDetail SET make = @make WHERE id = @id");
cmd.Parameters.AddWithValue("@make", "someValue");
cmd.Parameters.AddWithValue("@id", 1234);
// execute
#2
2
One of your data items contains a single quote, probably next to a number 8. This is breaking your SQL, and is an example of accidental SQL Injection, which you should guard against.
其中一个数据项包含单引号,可能在数字8旁边。这会破坏您的SQL,并且是一个意外SQL注入的示例,您应该防范它。
You should use parameterised queries. That way the single quote will be automatically escaped for you, and this issue will disappear.
您应该使用参数化查询。这样,单引号将自动为您转义,此问题将消失。
#3
1
Firstly you should paramatise your querys because you have a huge security issue here if someone malicious was going to use your system in regards to SQL injections.
首先,你应该对你的查询进行准确处理,因为如果有人恶意在SQL注入方面使用你的系统,你就会遇到很大的安全问题。
Secondly, what types are the fields? If they are int, as a lot of them should be, you don't need to do:
其次,这些领域是什么类型的?如果它们是int,就像它们中的很多应该是,你不需要这样做:
SET year = '2011'
You would do:
你会这样做:
SET year = 2011
This wont throw errors afaik, but it's recommended.
这不会抛出错误,但建议。
The best way to debug the query is print the query before it executes, to see what the actual built query is. As someone else mentioned it's probably a single quote causing issues.
调试查询的最佳方法是在执行查询之前打印查询,以查看实际构建的查询是什么。正如其他人提到的那样,它可能是一个导致问题的单引号。
If you paramatise your query it will work, and it will be more secure.
如果您对查询进行简化,它将起作用,并且会更安全。
#4
1
In addition to above answers, I would like to suggest you to please try to send the class object in your function.
除了上述答案,我还建议您尝试在函数中发送类对象。
This means you should have a Object Model Project. This contains a class for all the parameters you passed in your function.
这意味着您应该有一个对象模型项目。这包含您在函数中传递的所有参数的类。
Add the reference of this project to your datalayer/presentation and from the presentation send the object of this class populated with data member values to access the member data. In this way, in case tomorrow you have to increase/decrease the parameters, then you do not need to change the function signature.
将此项目的引用添加到您的数据层/表示,并从演示文稿发送此类的对象,该对象填充了数据成员值以访问成员数据。这样,如果明天你必须增加/减少参数,那么你不需要改变功能签名。
#1
1
Stop creating your own SQL queries. It's vulnerable to SQL Injection attacks. Use parameterized expressions instead, and you won't have to deal with these parameter errors anymore.
停止创建自己的SQL查询。它容易受到SQL注入攻击。使用参数化表达式,您将不再需要处理这些参数错误。
SqlCommand cmd = new SqlCommand("UPDATE productDetail SET make = @make WHERE id = @id");
cmd.Parameters.AddWithValue("@make", "someValue");
cmd.Parameters.AddWithValue("@id", 1234);
// execute
#2
2
One of your data items contains a single quote, probably next to a number 8. This is breaking your SQL, and is an example of accidental SQL Injection, which you should guard against.
其中一个数据项包含单引号,可能在数字8旁边。这会破坏您的SQL,并且是一个意外SQL注入的示例,您应该防范它。
You should use parameterised queries. That way the single quote will be automatically escaped for you, and this issue will disappear.
您应该使用参数化查询。这样,单引号将自动为您转义,此问题将消失。
#3
1
Firstly you should paramatise your querys because you have a huge security issue here if someone malicious was going to use your system in regards to SQL injections.
首先,你应该对你的查询进行准确处理,因为如果有人恶意在SQL注入方面使用你的系统,你就会遇到很大的安全问题。
Secondly, what types are the fields? If they are int, as a lot of them should be, you don't need to do:
其次,这些领域是什么类型的?如果它们是int,就像它们中的很多应该是,你不需要这样做:
SET year = '2011'
You would do:
你会这样做:
SET year = 2011
This wont throw errors afaik, but it's recommended.
这不会抛出错误,但建议。
The best way to debug the query is print the query before it executes, to see what the actual built query is. As someone else mentioned it's probably a single quote causing issues.
调试查询的最佳方法是在执行查询之前打印查询,以查看实际构建的查询是什么。正如其他人提到的那样,它可能是一个导致问题的单引号。
If you paramatise your query it will work, and it will be more secure.
如果您对查询进行简化,它将起作用,并且会更安全。
#4
1
In addition to above answers, I would like to suggest you to please try to send the class object in your function.
除了上述答案,我还建议您尝试在函数中发送类对象。
This means you should have a Object Model Project. This contains a class for all the parameters you passed in your function.
这意味着您应该有一个对象模型项目。这包含您在函数中传递的所有参数的类。
Add the reference of this project to your datalayer/presentation and from the presentation send the object of this class populated with data member values to access the member data. In this way, in case tomorrow you have to increase/decrease the parameters, then you do not need to change the function signature.
将此项目的引用添加到您的数据层/表示,并从演示文稿发送此类的对象,该对象填充了数据成员值以访问成员数据。这样,如果明天你必须增加/减少参数,那么你不需要改变功能签名。