不正确的语法“

I am getting a string from a database that is in xml format and trying to update the xml with the following query:

我正在从一个xml格式的数据库中获取一个字符串，并尝试用以下查询更新xml:

ExecuteNonQuery("Update Logs SET Message = " + encryptedMessage + " WHERE ID = " + message.Id);

but it gives me the error message:

但它给了我错误信息:

Incorrect syntax near '<'. The label 'xmlns' has already been declared. Label names must be unique within a query batch or stored procedure. An object or column name is missing or empty. For SELECT INTO statements, verify each column has a name. For other statements, look for empty alias names. Aliases defined as "" or [] are not allowed. Change the alias to a valid name. An object or column name is missing or empty. For SELECT INTO statements, verify each column has a name. For other statements, look for empty alias names. Aliases defined as "" or [] are not allowed. Change the alias to a valid name. An object or column name is missing or empty. For SELECT INTO statements, verify each column has a name. For other statements, look for empty alias names. Aliases defined as "" or [] are not allowed. Change the alias to a valid name. An object or column name is missing or empty. For SELECT INTO statements, verify each column has a name. For other statements, look for empty alias names. Aliases defined as "" or [] are not allowed. Change the alias to a valid name. An object or column name is missing or empty. For SELECT INTO statements, verify each column has a name. For other statements, look for empty alias names. Aliases defined as "" or [] are not allowed. Change the alias to a valid name.

不正确的语法“<”附近。标签“xmlns”已经声明。在查询批处理或存储过程中，标签名称必须是唯一的。一个对象或列名丢失或空。对于SELECT INTO语句，验证每一列有一个名称。对于其他语句，查找空的别名。被定义为“”或[]的别名是不允许的。将别名更改为有效名称。一个对象或列名丢失或空。对于SELECT INTO语句，验证每一列有一个名称。对于其他语句，查找空的别名。被定义为“”或[]的别名是不允许的。将别名更改为有效名称。一个对象或列名丢失或空。对于SELECT INTO语句，验证每一列有一个名称。对于其他语句，查找空的别名。被定义为“”或[]的别名是不允许的。将别名更改为有效名称。一个对象或列名丢失或空。对于SELECT INTO语句，验证每一列有一个名称。对于其他语句，查找空的别名。被定义为“”或[]的别名是不允许的。将别名更改为有效名称。一个对象或列名丢失或空。对于SELECT INTO语句，验证每一列有一个名称。对于其他语句，查找空的别名。被定义为“”或[]的别名是不允许的。将别名更改为有效名称。

I have a feeling it might have something to do with the quotes, but I am not sure. I have tried different options like single quotes, mixture,etc.

我有一种感觉，它可能与报价有关，但我不确定。我尝试过不同的选择，比如单引号，混合等等。

For example, if I do:

例如，如果我这样做:

ExecuteNonQuery("Update Logs SET Message = " + encryptedMessage.Replace('"','\'')+ " WHERE ID = " + message.Id);

Would this permanently update the double quotes in the message to single quotes. I don't want to do this.

这会永久地将消息中的双引号更新为单引号吗?我不想这么做。

3 个解决方案

#1

Yes, it looks like you are missing the quotes around the message:

是的，看起来你错过了信息的引号:

ExecuteNonQuery("Update Logs SET Message = '" + encryptedMessage + "' WHERE ID = " + message.Id);

The XML itself probably has single quotes in it as well, so you may need to escape those (e.g. change one single quote to two single quotes inside the message)

XML本身可能也有单引号，所以您可能需要转义那些(例如，在消息中更改一个单引号到两个单引号)

#2

As @Tomek mentioned you should use parameterized queries. It is more secure and removes the need for doing the conversions suggested in @Dan Sueava's answer.

正如@Tomek提到的，您应该使用参数化查询。它更安全，并消除了在@Dan Sueava的回答中所建议的转换的需要。

    SqlCommand command = 
     new SqlCommand("Update Logs SET Message = @EncryptedText WHERE ID = @MessageId");
    command.Parameters.AddWithValue("@EncryptedText", encryptedMessage);
    command.Parameters.AddWithValue("@MessageId", message.Id);

    command.ExecuteNonQuery();

#3

Use parametrized query and command object instead, your encryptedMessage might contain characters which break the syntax of your UPDATE statement.

使用参数化查询和命令对象，您的encryptedMessage可能包含破坏UPDATE语句语法的字符。

#1