发表新帖
发表新帖

SQL INSERT - Invalid column name

前端 未结
关注
6 1975
执念已碎
执念已碎 2021-01-22 16:34

As some of you may of seen from my previous post I\'m new to using C# to create websites (Although I have a fair bit of experience using it for Windows Forms apps). The powers t

相关标签:
6条回答
  • 春和景丽
    2021-01-22 16:57

    You are missing a parenthesis after the column name and the value represents a string and as such must be enclosed in quotes:

    string sqlcode = "INSERT INTO file_uploads (upload_filename) " + 
                 "VALUES ('"+filename+"')";

    However, the correct way would be to use a parameterized query:

    string filename = "abc123.jpg";
SqlConnection link = new SqlConnection(/*you dont need to see my data here ;)*/);
string sqlcode = "INSERT INTO file_uploads (upload_filename) VALUES (@filename)";
SqlCommand sql = new SqlCommand(sqlcode,link);
sql.Parameters.AddWithValue("@filename", filename);
link.open();
sql.ExecuteNonQuery();
    0 讨论(0)
  • 北海茫月
    2021-01-22 17:00

    Don't know if it is a typo but the line should be:

    string sqlcode = "INSERT INTO file_uploads (upload_filename) VALUES ('"+filename+"')";

    Notice the ) after upload_filename.

    Also also added the single quotes around the filename.

    But you probably want to use a parameterized query:

    string sqlcode = "INSERT INTO file_uploads (upload_filename) VALUES (@filename)";

    Then use command.Parameters to add the actual value.

    0 讨论(0)
  • 南旧
    2021-01-22 17:02

    Really you should be parameterising your queries - this reduces the risk of injection attacks:

    string filename = "abc123.jpg";
using( SqlConnection link = new SqlConnection(/*...*/;)) )
{
    // sql statement with parameter
    string sqlcode = "INSERT INTO file_uploads (upload_filename) VALUES (@filename)";
    using( SqlCommand sql = new SqlCommand(sqlcode,link) )
    {
        // add filename parameter
        sql.Parameters.AddWithValue("filename", filename);
        link.open();
        sql.ExecuteNonQuery();
    }
}

    Also note the using statements - these make sure that the connection and command objects are disposed of.

    0 讨论(0)
  • 别那么骄傲
    2021-01-22 17:06

    your SQL is bad formatted. Try this :

    string sqlcode = "INSERT INTO file_uploads (upload_filename) VALUES ('"+filename+"')";

    Where upload_filename is a name of the column

    0 讨论(0)
  • 终归单人心
    2021-01-22 17:16

    Try

    string sqlcode = "INSERT INTO file_uploads (upload_filename) VALUES ('"+filename+"')";

    You were missing a closing parentheses.

    0 讨论(0)
  • 无人及你
    2021-01-22 17:20

    looks like you are missing a bracket:

    string sqlcode = "INSERT INTO file_uploads (upload_filename VALUES ("+filename+")";

    Should be

    string sqlcode = "INSERT INTO file_uploads (upload_filename) VALUES ('"+filename+"')";

    Also, to avoid SQL injection attacks you can use the SQLCommand objects like so.

    using (SQLCommand oSQLCommand = new SQLCommand("INSERT INTO file_uploads (upload_filename) VALUES ( @FileName )")
{
oSQLCommand.Parameters.AddWithValue("@FileName", filename);

oSQLCommand.ExecuteNonQuery();
}
    0 讨论(0)
 看不清?
提交回复
热议问题