时间戳

首页 > 解决方案 > System.Data.SqlClient.SqlException:'')' 附近的语法不正确。' 是那个sql查询错误还是什么?

c# - System.Data.SqlClient.SqlException:'')' 附近的语法不正确。' 是那个sql查询错误还是什么?

问题描述

我正在使用 Visual Studio 2019 和 SQL Server Management Studio。

客户详细信息.aspx

<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="CustomerDetails.aspx.cs" Inherits="CustomerInfo.CustomerDetails" %>

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
    <title></title>
    <style type="text/css">
        .auto-style1 {
            text-align: center;
        }
        .auto-style2 {
            width: 29%;
            height: 119px;
            margin-left: 51px;
        }
        .auto-style3 {
            width: 240px;
        }
        .auto-style4 {
            width: 240px;
            text-align: right;
        }
    </style>
</head>
<body>
    <form id="form1" runat="server">
        <div>
            <h3 class="auto-style1">Enter Details</h3>
        </div>
        <p>
            &nbsp;</p>
        <table align="center" class="auto-style2">
            <tr>
                <td class="auto-style4">User Name :</td>
                <td>
                    <asp:TextBox ID="name" runat="server" Width="200px"></asp:TextBox>
                </td>
            </tr>
            <tr>
                <td class="auto-style4">Email :</td>
                <td>
                    <asp:TextBox ID="mail" runat="server" Width="200px"></asp:TextBox>
                </td>
            </tr>
            <tr>
                <td class="auto-style4">Password :</td>
                <td>
                    <asp:TextBox ID="password" runat="server" Width="200px"></asp:TextBox>
                </td>
            </tr>
            <tr>
                <td class="auto-style3">&nbsp;</td>
                <td>
                    <asp:Button ID="Button1" runat="server" OnClick="Button1_Click" Text="Submit" Width="100px" />
                </td>
            </tr>
        </table>
        <asp:Label ID="Label1" runat="server" ForeColor="Green" Visible="False"></asp:Label>
        <asp:SqlDataSource ID="SqlDataSource1" runat="server" ConnectionString="<%$ ConnectionStrings:Customer_Info_TableConnectionString %>" SelectCommand="SELECT * FROM [cus_table]"></asp:SqlDataSource>
    </form>
</body>
</html>

我得到了我如何创建网页设计的确切输出,它允许我在按下按钮后在字段中输入详细信息,但出现此错误:

抛出异常:System.Data.dll 中的“System.Data.SqlClient.SqlException
” System.Data.dll 中发生“System.Data.SqlClient.SqlException”类型的异常,但未在用户代码中处理
'附近的语法不正确'。

CustomerDetails.aspx.cs

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data.SqlClient;
using System.Configuration;

namespace CustomerInfo
{
    public partial class CustomerDetails : System.Web.UI.Page
    {
        SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["Customer_Info_TableConnectionString"].ConnectionString);

        protected void Page_Load(object sender, EventArgs e)
        {
        }

        protected void Button1_Click(object sender, EventArgs e)
        {
            SqlCommand cmd = new SqlCommand("insert into [dbo].[cus_table]('" + name.Text+"','"+name.Text+"','"+mail.Text+"','"+password.Text+"')",con);

            con.Open();
            cmd.ExecuteNonQuery();
            con.Close();

            Label1.Visible = true;
            Label1.Text = "Information uploaded Successfully! :)";

            name.Text = "";
            mail.Text = "";
            password.Text = "";
        }
    }
}

网络配置

<connectionStrings>
    <add name="Customer_Info_TableConnectionString" 
         connectionString="Data Source=DESKTOP-B44TBSQ;Initial Catalog=Customer_Info_Table;Integrated Security=True"
         providerName="System.Data.SqlClient" />
</connectionStrings>

SQL 服务器:

CREATE TABLE [dbo].[cus_table]
(
    [id] [int] IDENTITY(1,1) NOT NULL,
    [name] [nvarchar](50) NOT NULL,
    [mail] [nvarchar](50) NOT NULL,
    [password] [nvarchar](50) NOT NULL
) ON [PRIMARY]
GO

标签: c#asp.netsql-server

解决方案

  1. 永远不要连接值来创建 SQL(参见:SQL 注入);使用参数,最好使用像 dapper 这样的工具
  2. 建议在插入时指定列顺序以防止歧义
  3. 永远不要将密码存储为文本;用盐对它们进行散列以进行身份​​验证(冗长但很重要的主题),或者如果您正在编写密码管理器,请使用强加密

为了方便起见,这个例子使用了Dapper;请注意,Dapper 还处理打开和关闭连接、参数打包以及(在使用Query<T>等时)将结果解析为实例。ADO.NET 的所有无聊部分!

var pwHash = // ... not shown; something involving password.Text
             // note: you'd usually need to invent and store the "salt", too
conn.Execute(@"
    insert into [dbo].[cus_table] (name, mail, passwordHash)
    values (@name, @mail, @pwHash)",
    new {
        name = name.Text,
        mail = mail.Text,
        pwHash = pwHash
    });

Label1.Visible = true;
Label1.Text = "Information uploaded Successfully! :)";

注意:以上内容不会直接起作用,因为您有一个password列而不是passwordHash列。但重要的是:你的password专栏只是一个不应该存在的东西。我不能强迫你修复它,但是:请做。

糟糕的安全版本将类似于:

conn.Execute(@"
    insert into [dbo].[cus_table] (name, mail, password)
    values (@name, @mail, @password)",
    new {
        name = name.Text,
        mail = mail.Text,
        password = password.Text // TODO: hash (for auth) or encrypt (pw manager)
    });

推荐阅读