我无法使用c#插入我的数据库

尝试将数据插入数据库时​​出现此错误。

System.Data.dll中发生了未处理的“System.Data.SqlClient.SqlException”类型exception

附加信息:关键字“用户”附近的语法不正确。

这是代码:

if(txtRegisterSecurityAnswerOne.TextLength >0 && txtRegisterSecurityAnswerTwo.TextLength >0) { SqlConnection connection1 = new SqlConnection( Properties.Settings.Default.BlackBookDBConnectionString); System.Data.SqlClient.SqlCommand cmd = new System.Data.SqlClient.SqlCommand(); cmd.CommandType = System.Data.CommandType.Text; cmd.CommandText = "INSERT INTO User (Username, Password, SecurityQuestionOne, " + "SecurityQuestionTwo, SecurityAnswerOne, SecurityAnswerTwo); VALUES (" + txtRegisterUsername.Text + "," + txtRegisterPassword.Text + "," + lstRegisterSecurityQuestionOne.SelectedText + "," + lstRegisterSecurityQuestionTwo.SelectedItem + "," + txtRegisterSecurityAnswerOne.Text + "," + txtRegisterSecurityAnswerTwo.Text + ")"; cmd.CommandText = "INSERT INTO USer ()"; cmd.Connection = connection1; connection1.Open(); cmd.ExecuteNonQuery(); connection1.Close(); } 

我编辑了我的代码。 但是由于某种原因,它仍然没有在我的数据库中插入任何内容。

 if(txtRegisterSecurityAnswerOne.TextLength >0 && txtRegisterSecurityAnswerTwo.TextLength >0) { SqlConnection connection1 = new SqlConnection(Properties.Settings.Default.BlackBookDBConnectionString); string sqlquery = "INSERT INTO [User] (Username,Password,SecurityQuestionOne," + "SecurityAnswerOne,SecurityQuestionTwo,SecurityAnswerTwo) " + "VALUES (@Username,@Password,@QuestionOne,@AnswerOne,@QuestionTwo,@AnswerTwo)"; SqlCommand command = new SqlCommand(sqlquery, connection1); string userName = txtRegisterUsername.Text; command.Parameters.AddWithValue("Username", userName); string password = txtRegisterRepeatPassword.Text; command.Parameters.AddWithValue("Password", password); string questionOne = lstRegisterSecurityQuestionOne.SelectedText; command.Parameters.AddWithValue("QuestionOne", questionOne); string questionTwo = lstRegisterSecurityQuestionTwo.SelectedText; command.Parameters.AddWithValue("QuestionTwo", questionTwo); string answerOne = txtRegisterSecurityAnswerOne.SelectedText; command.Parameters.AddWithValue("AnswerOne", answerOne); string answerTwo = txtRegisterSecurityAnswerTwo.SelectedText; command.Parameters.AddWithValue("AnswerTwo", answerTwo); command.Connection = connection1; connection1.Open(); command.ExecuteNonQuery(); connection1.Close(); } 

 if(txtRegisterSecurityAnswerOne.TextLength >0 && txtRegisterSecurityAnswerTwo.TextLength >0) { SqlConnection connection1 = new SqlConnection(Properties.Settings.Default.BlackBookDBConnectionString); connection1.Open(); string sqlquery = "INSERT INTO [User] (Username,Password,SecurityQuestionOne," + "SecurityAnswerOne,SecurityQuestionTwo,SecurityAnswerTwo) " + "VALUES (@Username,@Password,@QuestionOne,@AnswerOne,@QuestionTwo,@AnswerTwo)"; SqlCommand command = new SqlCommand(sqlquery, connection1); string userName = txtRegisterUsername.Text; command.Parameters.Add("@Username", SqlDbType.VarChar, 200).Value = userName; string password = txtRegisterRepeatPassword.Text; command.Parameters.Add("@Password", SqlDbType.VarChar, 200).Value = password; string questionOne = lstRegisterSecurityQuestionOne.SelectedText; command.Parameters.Add("@QuestionOne", SqlDbType.VarChar, 200).Value = questionOne; string questionTwo = lstRegisterSecurityQuestionTwo.SelectedText; command.Parameters.Add("@QuestionTwo", SqlDbType.VarChar, 200).Value = questionTwo; string answerOne = txtRegisterSecurityAnswerOne.SelectedText; command.Parameters.Add("@AnswerOne", SqlDbType.VarChar, 200).Value = answerOne; string answerTwo = txtRegisterSecurityAnswerTwo.SelectedText; command.Parameters.Add("@AnswerTwo", SqlDbType.VarChar, 200).Value = answerTwo; command.ExecuteNonQuery(); connection1.Close(); } 

删除此行:

 cmd.CommandText = "INSERT INTO USer ()"; 

编辑
查看新代码后,您的参数名称错误(缺少@ )。 您应该将代码更改为:

 string userName = txtRegisterUsername.Text; command.Parameters.AddWithValue("@Username", userName); string password = txtRegisterRepeatPassword.Text; command.Parameters.AddWithValue("@Password", password); string questionOne = lstRegisterSecurityQuestionOne.SelectedText; command.Parameters.AddWithValue("@QuestionOne", questionOne); string questionTwo = lstRegisterSecurityQuestionTwo.SelectedText; command.Parameters.AddWithValue("@QuestionTwo", questionTwo); string answerOne = txtRegisterSecurityAnswerOne.SelectedText; command.Parameters.AddWithValue("@AnswerOne", answerOne); string answerTwo = txtRegisterSecurityAnswerTwo.SelectedText; command.Parameters.AddWithValue("@AnswerTwo", answerTwo); 
  1. 删除第二行分配cmd.CommandText – 它覆盖第一行
  2. User是SQL服务器中的关键字,如果您有一个具有该名称的表(您不应该将其括起来)放在方括号中:

    cmd.CommandText = "INSERT INTO [User] ...

在旁注 – 了解参数化查询 。 它们是避免SQL注入攻击的好方法(更不用说混乱的字符串连接)