As the title says, I'm getting a syntax error when trying to execute the following insert query against an MS Access database from an ASP.NET page.
正如标题所示,我在尝试从ASP.NET页面对MS Access数据库执行以下插入查询时出现语法错误。
sqls = "INSERT INTO Invoice(Date, S_OF, Consignee_name, Vechile_type, Make, Model,
Chassis_no, Transmission, Fuel_Type, Mile_age, Colour,
Engine_type, Wheel_Drive, Accesories_options, FOB_Price,
Fright_Price, Insurance, inspection, Port_of_Loading,
Destination, Drive, Total)
VALUES('" + date1.Text + "','" + Sof.Text + "','" + consigneee.Text + "','" +
dvtype.Text + "','" + make.Text + "','" + Model.Text + "','" + chassisno.Text +
"','" + dtransmision.Text + "','" + dfueltype.Text + "','" + mileage.Text + "','"
+ dcolour.Text + "','" + enginetype.Text + "','" + dwheeldrive.Text + "','"
+ labelc.Text + "','" + FobPrice.Text + "','" + frieghtprice.Text + "','"
+ insurance.Text + "','" + inspection.Text + "','" + portofloading.Text
+ "','" + portdestination.Text + "','" + ddrive.Text + "','" + total.Text + "')"
3 个解决方案
#1
1
I'm just guessing here since you haven't provided the error message but you seem to have a few typos in the column names.
我只是在猜测,因为你没有提供错误信息,但你似乎在列名中有一些拼写错误。
"INSERT INTO Invoice(Date,S_OF,Consignee_name,Vechile_type,Make,...
^^^^^^^
Did you mean Vehicle?
你的意思是车辆?
Accesories_options
It should be spelled Accessories.
它应该拼写配件。
Fright_Price
Do you really charge people to be scared? I'm sure you meant Freight_Price here.
你真的让人害怕吗?我相信你的意思是Freight_Price。
#2
0
You can you String.Format("INSERT INTO Invoice Values {0}{1}{2}", value0, value1, value2 ) so value0 will replace for {0}, value1 will replace for {1} and so on. That's way you can trace the error better.
你可以String.Format(“INSERT INTO Invoice Values {0} {1} {2}”,value0,value1,value2)所以value0将替换为{0},value1将替换为{1},依此类推。这样你可以更好地追踪错误。
Further more, try to use store-procedure and parameters to avoid sql injection. It's worth to spend sometimes on it.
此外,尝试使用store-procedure和参数来避免sql注入。有时花在它上面是值得的。
#3
0
Here is how someone can possibly hack into your database (SQL injection). Please note it is provided for educational purposes! Do not try to execute it!
以下是有人可能入侵您的数据库(SQL注入)。请注意,它是出于教育目的!不要试图执行它!
If someone enters this into your total Textbox, your data may be deleted:
如果有人将其输入您的整个文本框,您的数据可能会被删除:
'); delete from invoice; print ('hi
Ironically, couple years ago I got error message on the web site where I ordered parts for my car (Mopar parts seller). I got error like "...error in WHERE clause...". So, it was open for SQL injection attack. I sent them email but never ordered from them again. I hope, you are not representing them here :)
具有讽刺意味的是,几年前,我在网站上收到了错误消息,我订购了我的汽车零件(Mopar零件销售商)。我收到错误,如“...... WHERE子句中的错误......”。因此,SQL注入攻击是开放的。我给他们发了电子邮件但从未再次向他们订购过。我希望,你不是在这里代表他们:)
#1
1
I'm just guessing here since you haven't provided the error message but you seem to have a few typos in the column names.
我只是在猜测,因为你没有提供错误信息,但你似乎在列名中有一些拼写错误。
"INSERT INTO Invoice(Date,S_OF,Consignee_name,Vechile_type,Make,...
^^^^^^^
Did you mean Vehicle?
你的意思是车辆?
Accesories_options
It should be spelled Accessories.
它应该拼写配件。
Fright_Price
Do you really charge people to be scared? I'm sure you meant Freight_Price here.
你真的让人害怕吗?我相信你的意思是Freight_Price。
#2
0
You can you String.Format("INSERT INTO Invoice Values {0}{1}{2}", value0, value1, value2 ) so value0 will replace for {0}, value1 will replace for {1} and so on. That's way you can trace the error better.
你可以String.Format(“INSERT INTO Invoice Values {0} {1} {2}”,value0,value1,value2)所以value0将替换为{0},value1将替换为{1},依此类推。这样你可以更好地追踪错误。
Further more, try to use store-procedure and parameters to avoid sql injection. It's worth to spend sometimes on it.
此外,尝试使用store-procedure和参数来避免sql注入。有时花在它上面是值得的。
#3
0
Here is how someone can possibly hack into your database (SQL injection). Please note it is provided for educational purposes! Do not try to execute it!
以下是有人可能入侵您的数据库(SQL注入)。请注意,它是出于教育目的!不要试图执行它!
If someone enters this into your total Textbox, your data may be deleted:
如果有人将其输入您的整个文本框,您的数据可能会被删除:
'); delete from invoice; print ('hi
Ironically, couple years ago I got error message on the web site where I ordered parts for my car (Mopar parts seller). I got error like "...error in WHERE clause...". So, it was open for SQL injection attack. I sent them email but never ordered from them again. I hope, you are not representing them here :)
具有讽刺意味的是,几年前,我在网站上收到了错误消息,我订购了我的汽车零件(Mopar零件销售商)。我收到错误,如“...... WHERE子句中的错误......”。因此,SQL注入攻击是开放的。我给他们发了电子邮件但从未再次向他们订购过。我希望,你不是在这里代表他们:)