在.net ExecuteNonQuery上获得奇怪的错误

Question

我在.NET上使用SQL服务器在后端工作

我有一个数据库,我使用Web控件创建一个记录 - 然后我需要更新一些字段.
我可以捕获sql语句并在sql server中成功运行它 - 但是,当我尝试运行执行非查询时,我收到以下错误:

未处理的执行错误'<'附近的语法不正确.在System.Data.SqlClient.SqlConnection.OnError(SqlException异常,布尔breakConnection)在System.Data.SqlClient.SqlInternalConnection.OnError(SqlException异常,布尔breakConnection)在System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj)在系统System.Data.SqlClient.SqlCommand的System.Data.SqlClient.SqlCommand.RunExecuteNonQueryTds(String methodName,Boolean async)处于.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior,SqlCommand cmdHandler,SqlDataReader dataStream,BulkCopySimpleResultSet bulkCopyHandler,TdsParserStateObject stateObj). TestAPI上的System.Data.SqlClient.SqlCommand.ExecuteNonQuery()中的InternalExecuteNonQuery(DbAsyncResult结果,String methodName,Boolean sendToPipe).

这是我的功能:

Public Function UpdateTicketValues(ByVal srId As String) As Boolean
    Dim result As Boolean
    Dim myCDataReader As System.Data.SqlClient.SqlDataReader
    Dim myUConn As New System.Data.SqlClient.SqlConnection
    Dim myCCmd As New System.Data.SqlClient.SqlCommand
    Dim myUCmd As New System.Data.SqlClient.SqlCommand
    Dim strSQL As String

    strSQL = "SELECT Contact_RecId, First_Name, Last_Name, PhoneNbr, Extension, Email FROM vti_ContactInformation " & _
             "WHERE Company_RecId = " & CoId & " AND Email = '" & txtEmail.Text & "'"
    myCConn.Open()
    myUConn = New System.Data.SqlClient.SqlConnection("Data Source=x;Initial Catalog=x;User Id=x;Password=x;Trusted_Connection=False")
    myUConn.Open()
    myCCmd.Connection = myCConn
    myCCmd.CommandText = strSQL
    myCDataReader = myCCmd.ExecuteReader
    If myCDataReader.Read() Then
        'Run update with contact information
        strSQL = "UPDATE SR_Service " & _
                 "SET Contact_RecId = " & myCDataReader.GetValue(0) & ", " & _
                 "    Contact_Name = '" & myCDataReader.GetValue(1) & " " & myCDataReader.GetValue(2) & "', " & _
                 "    PhoneNbr = '" & myCDataReader.GetValue(3) & "', " & _
                 "    Extension = '" & myCDataReader.GetValue(4) & "', " & _
                 "    Email_Address = '" & myCDataReader.GetValue(5) & "' " & _
                 "WHERE SR_Service_RecId = " & srId & " "
        myUCmd.Connection = myUConn
        myUCmd.CommandText = strSQL
        'myCCmd.ExecuteNonQuery()
        lblServiceRequest.Text = myUCmd.CommandText
        result = True
    Else
        myUCmd.CommandText = ""
        result = False
    End If
    If myUCmd.CommandText <> "" Then
        myUCmd.ExecuteNonQuery()
    End If
    myCConn.Close()
    myUConn.Close()
    Return result
End Function

任何帮助表示赞赏!

Answer 1

在我看到错误可能在哪里之前我建议你立即停止你做什么,并首先改变所有sql代码使用参数.如果你不这样做你的网站将开放sql注入攻击,可以破坏你的数据库.

找出问题运行的位置探查器并检查stmt:starting和stmt:completed事件.