收到错误“System.Data.SqlClient.SqlException:'')'附近的语法不正确。”

【问题标题】:Getting an error "System.Data.SqlClient.SqlException: 'Incorrect syntax near ')'."收到错误“System.Data.SqlClient.SqlException:'')'附近的语法不正确。”
【发布时间】:2020-03-24 20:12:21
【问题描述】:

我真的需要帮助解决这个错误,我是 C# 新手,所以它可能是也可能不是一个明显的错误。

错误是

System.Data.SqlClient.SqlException: ')' 附近的语法不正确

它出现在:

using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Windows.Forms;
using System.Data.SqlClient; //allows a secure link between the button on add user and the database

namespace inventory_management_coding
{
    public partial class Add_New_User : Form
    {
        SqlConnection con = new SqlConnection(@"Data Source=(LocalDB)\MSSQLLocalDB;AttachDbFilename=C:\Users\Sarwan\Desktop\computer science coding coursework\inventory management coding\Inventory.mdf;Integrated Security=True"); // this is a connection string so it sets the variable con with the database file that is exactly in that file location

        public Add_New_User()
        {
            InitializeComponent();
        }

        private void button1_Click(object sender, EventArgs e)
        {
            int i = 0;

            SqlCommand cmd = con.CreateCommand();
            cmd.CommandType = CommandType.Text;
            cmd.CommandText = "select * from Registration where username = '" + textBox3.Text + "'"; //this gets information from my database. Textbox 3 is the username textbox
            cmd.ExecuteNonQuery(); // This is used for executing queries that do not return any data. 

            DataTable dt = new DataTable();
            SqlDataAdapter da = new SqlDataAdapter(cmd); // allows access to the database 
            da.Fill(dt);
            i = Convert.ToInt32(dt.Rows.Count.ToString());

            if (i == 0) //allows us to pass through sub query 
            {
                SqlCommand cmd1 = con.CreateCommand();
                cmd1.CommandType = CommandType.Text;
                cmd1.CommandText = "Insert into registeration ('"+ textBox1.Text  +"','"+ textBox2.Text  +"','"+  textBox3.Text  +"','"+  textBox4.Text  +"','"+  textBox5.Text  +"')"; //This allows data to be entere into the database. Text box 1,2,3,4,5 are linked to firstname, lastname etc
                cmd1.ExecuteNonQuery();

                textBox1.Text = ""; textBox2.Text = ""; 
                textBox3.Text = ""; textBox4.Text = ""; 
                textBox5.Text = ""; // these allow the parameters to be passed through

                MessageBox.Show("user record inserted successfully");
            }
            else
            {
                MessageBox.Show("This username already exists, please choose another"); // this would be an invalid statement for choosing a same username. They must be Unique!
            }
        }

        private void Add_New_User_Load(object sender, EventArgs e)
        {
            if (con.State == ConnectionState.Open) //this section of code is vital in all areas to allow the program to automatically connect to the database. Con is the linking variable. 
            {
                con.Close();
            }

            con.Open();
        }
    }
}

我真的需要这方面的帮助,它说语法是')',但我无法找到正确的解决方案。它发生在这一行:

cmd1.ExecuteNonQuery();

【问题讨论】:

  • 您应该丢弃并忽略任何教程或学习资源正在教您以这种方式编写 SQL。在 .NET 中这样做从来都不是正确的方法。您遇到的错误只是其中一个较温和的问题。

标签: c# sql-server exception visual-studio-2019


【解决方案1】:

用于插入行的 commandText 缺少一些信息。

你目前有

cmd1.CommandText = "Insert into registeration ('"+ textBox1.Text  +"','"+ textBox2.Text  +"','"+  textBox3.Text  +"','"+  textBox4.Text  +"','"+  textBox5.Text  +"')"; //This allows data to be inputted in the database. Text box 1,2,3,4,5 are linked to firstnale, lastname etc

Insert into 命令的语法是

INSERT INTO table_name (column1, column2, column3, ...)
VALUES (value1, value2, value3, ...);

您跳过了指定要为其插入值的列的名称。您没有向我们提供足够的信息来了解您的列名是什么,但您的代码行应该类似于:

//This allows data to be inputted in the database. Text box 1,2,3,4,5 are linked to firstnale, lastname etc
cmd1.CommandText = "Insert into registeration (column1, column2, column3, column4, column5) VALUES ('"+ textBox1.Text  +"','"+ textBox2.Text  +"','"+  textBox3.Text  +"','"+  textBox4.Text  +"','"+  textBox5.Text  +"')";

其中column1, column2, column3, column4, column5 被替换为您的列的实际名称。

当您发现 C# 代码中发生 SQL 异常时,尝试在单独的变量中构建字符串,然后将其传递给 CommandText,以便您可以单步执行代码和调试,并可能剪切和粘贴整个连接的将字符串放入查询窗口,以便您可以在应用程序之外单独运行和调试 SQL。

附带说明一下,您需要对 SQL Injection attacks 进行一些研究,因为通过直接从用户输入框构建 SQL 命令,您可以非常了解这一点漏洞。

【讨论】:

    猜你喜欢
    • 2022-01-13
    • 1970-01-01
    • 2021-03-31
    • 2019-07-17
    • 2017-12-08
    • 2014-05-09
    • 2018-05-09
    • 1970-01-01
    • 1970-01-01
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode