解析查询时出错。 [令牌行号 = 1 ...]

Question

我尝试使用 stringbuilder 来简化流程，但它显示错误，我不明白问题出在 stringbuilder 还是代码语法上。

代码：

        if (dataGridView4.RowCount == 0)
        {
            MessageBox.Show("Attendance form is empty");
        }
        else
        {
            //string att;
            int a = dataGridView4.RowCount;
            string[] s = new string[a];
            for (int i = 0; i < a; i++)
            {
                if (dataGridView4.Rows[i].Cells[1].Selected)
                {
                    s[i] = "Present";
                }
                else
                {
                    s[i] = "Absent";
                }
            }
            string[] s1 = new string[a];
            for (int i = 0; i < a; i++)
            {
                s1[i] = dataGridView4.Rows[i].Cells[0].Value.ToString();
            }
            string date = dateTimePicker1.Value.ToString("dd-MM-yyyy");
            StringBuilder command = new StringBuilder();
            for (int i = 0; i < a; i++)
            {
                command.Append("INSERT into Attendance (att_date, emp_code, is_present) values ('" + date + "','" + s1[i] + "','" + s[i] + "')");
            }
            SqlCeConnection conn = new SqlCeConnection(@"Data Source=C:\Users\admin\documents\visual studio 2010\Projects\WindowsFormsApplication1\WindowsFormsApplication1\hotel.sdf");
            conn.Open();
            SqlCeCommand cmd = new SqlCeCommand(command.ToString(),conn);
            cmd.ExecuteNonQuery();
            MessageBox.Show("Attendance Added");   

请帮我解决这个错误，如果您有任何建议可以简化上述代码，请告诉我。

提前致谢！

Answer 1

您需要使用参数来避免sql注入攻击，并且您不需要像您对日期时间参数所做的那样转换为字符串..

using (SqlCeConnection con = new SqlCeConnection(strConn))
{
    con.Open();
    using (SqlCeCommand cmd = new SqlCeCommand("insert into Attendance (att_date, emp_code, is_present) values (@att_date, @emp_code, @is_present)", con))
    {
        cmd.Parameters.AddWithValue("@att_date", dateTimePicker1.Value);
        cmd.Parameters.AddWithValue("@emp_code", emp_codeVal); //s1[i]
        cmd.Parameters.AddWithValue("@is_present", is_presentVal); //s[i]
        cmd.CommandType = System.Data.CommandType.Text;
        cmd.ExecuteNonQuery();
    }
}

如果您要插入许多记录，请尝试使用SqlCeResultSet，您可以查看该链接上给出的 MSDN 示例代码。

对于每个网格行，您可以执行以下操作

// this is only a sample you need to write for your table 
SqlCeUpdatableRecord rec = rs.CreateRecord();

rec.SetInt32(0, 34);
rec.SetDecimal(1, (decimal)44.66);
rec.SetString(2, "Sample text");

rs.Insert(rec);