SQL INSERT - Invalid column name_问答_开发者_运维开发者技术经验分享

开发者 https://www.devze.com 2023-03-15 01:43 出处：网络

As some of you may of seen from my previous post I\'m new to using C# to create websites (Although I have a fair bit of experience using it for Windows Forms apps). The powers that be are tempting me

相关专题：insert sql

As some of you may of seen from my previous post I'm new to using C# to create websites (Although I have a fair bit of experience using it for Windows Forms apps). The powers that be are tempting me away from PHP but I keep failing at what I consider the basics.

Anyway, this is my issue. I am trying to create a simple entry into a SQL database. I know my connection to the DB is fine as I can reel off 开发者_StackOverflowSELECT queries all day long but I'm having trouble with using Insert.

Heres my code:

string filename = "abc123.jpg";
SqlConnection link = new SqlConnection(//you dont need to see my data here ;));
string sqlcode = "INSERT INTO file_uploads (upload_filename VALUES ("+filename+")";
SqlCommand sql = new SqlCommand(sqlcode,link);
link.open();
sql.ExecuteNonQuery();

This results in "Invalid column name abc123.jpg" returned from the try/catch.

Any help would be appreciated. (I wish they would let me do this in PHP lol!)

Thanks,

Tripbrock

You are missing a parenthesis after the column name and the value represents a string and as such must be enclosed in quotes:

string sqlcode = "INSERT INTO file_uploads (upload_filename) " + 
                 "VALUES ('"+filename+"')";

However, the correct way would be to use a parameterized query:

string filename = "abc123.jpg";
SqlConnection link = new SqlConnection(/*you dont need to see my data here ;)*/);
string sqlcode = "INSERT INTO file_uploads (upload_filename) VALUES (@filename)";
SqlCommand sql = new SqlCommand(sqlcode,link);
sql.Parameters.AddWithValue("@filename", filename);
link.open();
sql.ExecuteNonQuery();

your SQL is bad formatted. Try this :

string sqlcode = "INSERT INTO file_uploads (upload_filename) VALUES ('"+filename+"')";

Where upload_filename is a name of the column

Really you should be parameterising your queries - this reduces the risk of injection attacks:

string filename = "abc123.jpg";
using( SqlConnection link = new SqlConnection(/*...*/;)) )
{
    // sql statement with parameter
    string sqlcode = "INSERT INTO file_uploads (upload_filename) VALUES (@filename)";
    using( SqlCommand sql = new SqlCommand(sqlcode,link) )
    {
        // add filename parameter
        sql.Parameters.AddWithValue("filename", filename);
        link.open();
        sql.ExecuteNonQuery();
    }
}

Also note the using statements - these make sure that the connection and command objects are disposed of.

Try

string sqlcode = "INSERT INTO file_uploads (upload_filename) VALUES ('"+filename+"')";

You were missing a closing parentheses.

Don't know if it is a typo but the line should be:

string sqlcode = "INSERT INTO file_uploads (upload_filename) VALUES ('"+filename+"')";

Notice the ) after upload_filename.

Also also added the single quotes around the filename.

But you probably want to use a parameterized query:

string sqlcode = "INSERT INTO file_uploads (upload_filename) VALUES (@filename)";

Then use command.Parameters to add the actual value.

looks like you are missing a bracket:

string sqlcode = "INSERT INTO file_uploads (upload_filename VALUES ("+filename+")";

Should be

string sqlcode = "INSERT INTO file_uploads (upload_filename) VALUES ('"+filename+"')";

Also, to avoid SQL injection attacks you can use the SQLCommand objects like so.

using (SQLCommand oSQLCommand = new SQLCommand("INSERT INTO file_uploads (upload_filename) VALUES ( @FileName )")
{
oSQLCommand.Parameters.AddWithValue("@FileName", filename);

oSQLCommand.ExecuteNonQuery();
}