使用ExecuteNonQuery插入记录,显示无效列名的异常

Question

我正在使用SQL Server 2008.

我想将记录插入到表中ExecuteNonQuery,为此我写了:

customUtility.ExecuteNonQuery("insert into furniture_ProductAccessories(Product_id, Accessories_id, SkuNo, Description1, Price, Discount) values(" + prodid + "," + strAcc + "," + txtSKUNo.Text + "," + txtAccDesc.Text + "," + txtAccPrices.Text + "," + txtAccDiscount.Text + ")");

以下是ExecuteNonQuery功能:

    public static bool ExecuteNonQuery(string SQL)
    {
        bool retVal = false;

        using (SqlConnection con = new SqlConnection(System.Web.Configuration.WebConfigurationManager.ConnectionStrings["dbConnect"].ToString()))
        {
            con.Open();
            SqlTransaction trans = con.BeginTransaction();
            SqlCommand command = new SqlCommand(SQL, con, trans);
            try
            {
                command.ExecuteNonQuery();
                trans.Commit();
                retVal = true;
            }
            catch(Exception ex)
            {
                //HttpContext.Current.Response.Write(SQL + "<br>" + ex.Message);
                //HttpContext.Current.Response.End();
            }
            finally
            {
                // Always call Close when done reading.
                con.Close();
            }
            return retVal;
        }
    }

但它显示了无效列名称的Description1异常,甚至是来自的值txtAccDesc.Text.我已尝试删除Description1列,其他记录已成功插入.

Answer 1

我的通灵调试能力告诉我你正在输入Description1文本框中的值txtAccDesc.连接SQL字符串时无法分隔文字值.

例如

"," + txtAccDesc.Text + "," +

应该

", '" + txtAccDesc.Text + "', " + 

然而,这是一个糟糕的解决方案,因为它可以让您接受SQL注入攻击(更不用说您需要处理文字中的引号和逗号),您应该使用参数化查询.

例如(用记事本写的警告,可能无法编译)

string SQL = "insert into furniture_ProductAccessories(Product_id,Accessories_id,SkuNo,Description1,Price,Discount) values(@Product_id,@Accessories_id,@SkuNo,@Description1,@Price,@Discount)"

SqlParameters[] parameters = new SQLParameters[6];
parameters[0] = new SqlParameter("@Product_id", SqlDbType.Int, prodid );
parameters[1] = new SqlParameter("@Accessories_id", SqlDbType.VarChar, strAcc );
parameters[2] = new SqlParameter("@SkuNo", SqlDbType.VarChar, txtSKUNo);
parameters[3] = new SqlParameter("@Description1", SqlDbType.VarChar, txtAccDesc.Text);
parameters[4] = new SqlParameter("@Price", SqlDbType.Money, txtAccPrices.Text);
parameters[5] = new SqlParameter("@Discount", SqlDbType.Money, txtAccDiscount.Text);

customUtility.ExecuteNonQuery(sql, paramters)

public static bool ExecuteNonQuery(string SQL, SqlParameters[] parameters)
{
    bool retVal = false;

    using (SqlConnection con = new SqlConnection(System.Web.Configuration.WebConfigurationManager.ConnectionStrings["dbConnect"].ToString()))
    {
        con.Open();
        SqlTransaction trans = con.BeginTransaction();
        SqlCommand command = new SqlCommand(SQL, con, trans);
        cmd.parameters.AddRange(parameters);
        try
        {
            command.ExecuteNonQuery();
            trans.Commit();
            retVal = true;
        }
        catch(Exception ex)
        {
            //HttpContext.Current.Response.Write(SQL + "<br>" + ex.Message);
            //HttpContext.Current.Response.End();
        }
        // finally
        //{
            //Always call Close when done reading.
            //con.Close(); Using already does this, so need for this
        //}
        return retVal;
    }
}