MySQL连接错误,我从未见过
新的mysql错误:
ERROR [42000] [MySQL][ODBC 3.51 Driver][mysqld-5.5.9]You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'System.Data.Odbc.OdbcCommand' at line 1 我以前从未见过这个错误,也不知道它与之有什么关系?
using (OdbcConnection connection = new OdbcConnection("Driver={MySQL ODBC 3.51 Driver}; Server=localhost; Database=gymwebsite2; User=root; Password=fakepass;")) { // ODBC command and transaction objects OdbcCommand command = new OdbcCommand(); OdbcTransaction transaction = null; // tell the command to use our connection command.Connection = connection; try { // open the connection connection.Open(); // start the transaction transaction = connection.BeginTransaction(); // Assign transaction object for a pending local transaction. command.Connection = connection; command.Transaction = transaction; // TODO: Build a SQL INSERT statement OdbcCommand cmd = new OdbcCommand("INSERT INTO User (Email, FirstName, SecondName, DOB, Location, Aboutme, username, password) VALUES ('" + TextBox1.Text + "', '" + TextBox2.Text + "', '" + TextBox3.Text + "', '" + TextBox4.Text + "', '" + TextBox5.Text + "', '" + TextBox6.Text + "', '" + TextBox7.Text + "', '" + TextBox8.Text + "')", connection); // run the insert using a non query call command.CommandText = cmd.ToString(); command.ExecuteNonQuery(); /* now we want to make a second call to MYSQL to get the new index value it created for the primary key. This is called using scalar so it will return the value of the SQL statement. We convert that to an int for later use.*/ command.CommandText = "select last_insert_id();"; int id = Convert.ToInt32(command.ExecuteScalar()); Label10.Text = Convert.ToString(id); // the name id doesnt not exist in the current context // Commit the transaction. transaction.Commit(); } catch (Exception ex) { Label10.Text = ": " + ex.Message; try { // Attempt to roll back the transaction. transaction.Rollback(); } catch { // Do nothing here; transaction is not active. } } }
编辑:
using (var conn = new OdbcConnection("Driver={MySQL ODBC 3.51 Driver}; Server=localhost; Database=gymwebsite2; User=root; Password=fakepass;")) { conn.Open(); using (var tx = conn.BeginTransaction()) { using (var cmd = conn.CreateCommand()) { cmd.CommandText = "INSERT INTO User (Email, FirstName, SecondName, DOB, Location, Aboutme, username, password) VALUES (@Email, @FirstName, @SecondName, @DOB, @Location, @Aboutme, @username, @password)"; cmd.Parameters.AddWithValue("@Email", TextBox1.Text); cmd.Parameters.AddWithValue("@FirstName", TextBox2.Text); cmd.Parameters.AddWithValue("@SecondName", TextBox3.Text); // TODO: might require a parsing if the column is of type date in SQL cmd.Parameters.AddWithValue("@DOB", TextBox4.Text); cmd.Parameters.AddWithValue("@Location", TextBox5.Text); cmd.Parameters.AddWithValue("@Aboutme", TextBox6.Text); cmd.Parameters.AddWithValue("@username", TextBox7.Text); cmd.Parameters.AddWithValue("@password", TextBox8.Text); cmd.ExecuteNonQuery(); //error on this line } using (var cmd = conn.CreateCommand()) { cmd.CommandText = "select last_insert_id();"; int id = Convert.ToInt32(cmd.ExecuteScalar()); Label10.Text = Convert.ToString(id); } tx.Commit(); } }
{“ExecuteNonQuery要求命令在分配给命令的连接处于挂起的本地事务中时具有事务。该命令的Transaction属性尚未初始化。”}
当存在ADO.NET连接器时,为什么还在使用错误的ODBC连接到MySql? 在形成查询时,这个可怕的字符串连接是什么?:
OdbcCommand cmd = new OdbcCommand("INSERT INTO User (Email, FirstName, SecondName, DOB, Location, Aboutme, username, password) VALUES ('" + TextBox1.Text + "', '" + TextBox2.Text + "', '" + TextBox3.Text + "', '" + TextBox4.Text + "', '" + TextBox5.Text + "', '" + TextBox6.Text + "', '" + TextBox7.Text + "', '" + TextBox8.Text + "')", connection);
您是否听说过SQL注入和参数化查询可以避免它?
我只能说,如果你在编写SQL查询时使用+号,就像拿枪一样射击你的脚(或者根据场景拍摄,但是在所有情况下你都在射击你自己,基本上是一种自杀行为)。
所以,这是正确的做事方式:
using (var conn = new MySqlConnection("Server=localhost; Database=gymwebsite2; User=root; Password=commando;")) { conn.Open(); using (var tx = conn.BeginTransaction()) { using (var cmd = conn.CreateCommand()) { cmd.CommandText = "INSERT INTO User (Email, FirstName, SecondName, DOB, Location, Aboutme, username, password) VALUES (@Email, @FirstName, @SecondName, @DOB, @Location, @Aboutme, @username, @password)"; cmd.Parameters.AddWithValue("@Email", TextBox1.Text); cmd.Parameters.AddWithValue("@FirstName", TextBox2.Text); cmd.Parameters.AddWithValue("@SecondName", TextBox3.Text); // TODO: might require a parsing if the column is of type date in SQL cmd.Parameters.AddWithValue("@DOB", TextBox4.Text); cmd.Parameters.AddWithValue("@Location", TextBox5.Text); cmd.Parameters.AddWithValue("@Aboutme", TextBox6.Text); cmd.Parameters.AddWithValue("@username", TextBox7.Text); cmd.Parameters.AddWithValue("@password", TextBox8.Text); cmd.ExecuteNonQuery(); } using (var cmd = conn.CreateCommand()) { cmd.CommandText = "select last_insert_id();"; int id = Convert.ToInt32(cmd.ExecuteScalar()); Label10.Text = Convert.ToString(id); } tx.Commit(); } }
另请为这些文本框命名。 那个维护这段代码的可怜人可能会发出绝望的尖叫声。