「系統」附近語法不正確。系統「：字符串「」附近有語法錯誤

Question

using System; 
using System.Collections.Generic; 
using System.Linq; 
using System.Web; 
using System.Web.UI; 
using System.Web.UI.WebControls; 
using System.Data; 
using System.Data.SqlClient; 
using System.Configuration; 

public partial class Editprofile : System.Web.UI.Page 
{ 
    protected void Page_Load(object sender, EventArgs e) 
    { 
     if (!IsPostBack) 
     { 
      SqlConnection con = new SqlConnection(); 
      con.ConnectionString = ConfigurationManager.ConnectionStrings["ProfileCS"].ConnectionString; 

      string sql = "select userid from Profile"; 
      SqlCommand cmd = new SqlCommand(); 
      SqlDataReader dr; 
      DataTable dt = new DataTable(); 

      cmd.CommandText = sql; 
      cmd.Connection = con; 

      con.Open(); 
      dr = cmd.ExecuteReader(); 
      dt.Load(dr); 
      ddl_userid.DataSource = dt; 
      ddl_userid.DataTextField = "userid"; 
      ddl_userid.DataValueField = "userid"; 
      ddl_userid.DataBind(); 
     } 
    } 
    protected void ddl_userid_SelectedIndexChanged(object sender, EventArgs e) 
    { 

     SqlConnection con = new SqlConnection(); 
     con.ConnectionString = ConfigurationManager.ConnectionStrings["ProfileCS"].ConnectionString; 

     string sql = "Select studname,gender,email,birthdate,contact from profile where userid='" + ddl_userid.SelectedValue + "'"; 
     SqlCommand cmd = new SqlCommand(); 
     SqlDataReader dr; 
     DataTable dt = new DataTable(); 

     cmd.CommandText = sql; 
     cmd.Connection = con; 

     con.Open(); 
     dr = cmd.ExecuteReader(); 

     dt.Load(dr); 

     tb_studname.Text = dt.Rows[0]["studname"].ToString(); 
     tb_gender.Text = dt.Rows[0]["gender"].ToString(); 
     tb_email.Text = dt.Rows[0]["email"].ToString(); 
     tb_age.Text = dt.Rows[0]["birthdate"].ToString(); 
     tb_contact.Text = dt.Rows[0]["contact"].ToString(); 
     Session["dt"] = dt; 
    } 
    protected void bn_reset_Click(object sender, EventArgs e) 
    { 
     DataTable dt = (DataTable)Session["dt"]; 
     tb_studname.Text = dt.Rows[0]["studname"].ToString(); 
     tb_gender.Text = dt.Rows[0]["gender"].ToString(); 
     tb_email.Text = dt.Rows[0]["email"].ToString(); 
     tb_age.Text = dt.Rows[0]["birthdate"].ToString(); 
     tb_contact.Text = dt.Rows[0]["contact"].ToString(); 

    } 
    protected void bn_update_Click(object sender, EventArgs e) 
    { 
     SqlConnection con = new SqlConnection(); 
     con.ConnectionString = ConfigurationManager.ConnectionStrings["ProfileCS"].ConnectionString; 

     String name = tb_studname.Text; 
     String gender = tb_gender.Text; 
     String email = tb_email.Text; 
     String age = tb_age.Text; 
     String contact = tb_contact.Text; 

     string sql="Update Profile Set studName='"+name+"',gender='"+gender+"',email='"+email+"',birthdate='"+age+"',contact='"+contact; 
     sql=sql +"where userid='"+ddl_userid+"'"; 

     SqlCommand cmd =new SqlCommand(); 
     cmd.CommandText=sql; 
     cmd.Connection=con; 
     try 
     { 
      con.Open(); 
      cmd.ExecuteNonQuery(); 
      lbl_msg.Text="Record Updated!"; 
     } 
     catch(Exception ex) 
     { 
      lbl_msg.Text="Problem encountered:"+ex.Message; 

     } 
     finally 
     { 
      con.Close(); 
      con.Dispose(); 
      cmd.Dispose(); 
     } 


    } 
} 

當我加載頁面的復位按鈕作品嗨，大家好預期，但是當我嘗試這樣 問題遇到發生更新信息按鈕錯誤消息」後閉合的引號。字符串「」

Answer 1

錯誤後未閉合的引號是在更新語句

string sql="Update Profile Set studName='"+name+"',gender='"+gender+"',email='"+ 
      email+"',birthdate='"+age+"',contact='"+contact +"'"; 

說，你應該刪除所有這些字符串連接，並使用參數化查詢缺少結束引號

有太多的點來解決，我只是顯示一個建議修復的更新

string sql="Update Profile Set studName=@name,gender=@gender,email=@email," + 
      "birthdate=@age,contact=@contact where userid=@uid"; 

    SqlCommand cmd =new SqlCommand(); 
    cmd.CommandText = sql; 
    cmd.Parameters.AddWithValue("@name",name); 
    cmd.Parameters.AddWithValue("@gender",gender); 
    cmd.Parameters.AddWithValue("@email",email); 
    cmd.Parameters.AddWithValue("@age",age); 
    cmd.Parameters.AddWithValue("@contact",contact); 
    cmd.Parameters.AddWithValue("@uid",ddl_userid); 
    cmd.ExecuteNonQuery(); 

這樣你的命令字符串是更具可讀性和你避免微妙的引用錯誤。
此外，引用您的參數的工作被傳遞給框架代碼，並且不存在SQL注入的可能性。

Answer 2

問題與以下行：

string sql="Update Profile Set studName='"+name+"',gender='"+gender+"',email='"+email+"',birthdate='"+age+"',contact='"+contact; 

你需要完成的字符串如下：看，我編輯的語句結束。

string sql="Update Profile Set studName='"+name+"',gender='"+gender+"',email='"+email+"',birthdate='"+age+"',contact='"+contact +"' "; 

注：我建議你，你應該使用，而不是進行直接的字符串參數化查詢。

Answer 3

變化：

string sql="Update Profile Set studName='"+name+"',gender='"+gender+"',email='"+email+"',birthdate='"+age+"',contact='"+contact; 

要：

string sql="Update Profile Set studName='"+name+"',gender='"+gender+"',email='"+email+"',birthdate='"+age+"',contact='"+contact + "' "; 

缺少接觸後的單引號。然後，您需要一個空間，以便添加Where子句的下一行工作。

Answer 4

我覺得這一行的問題;

string sql="Update Profile Set studName='"+name+"',gender='"+gender+"',email='"+email+"',birthdate='"+age+"', 
contact='"+contact; 
       ^^ here missing '" 
sql=sql +"where userid='"+ddl_userid+"'"; 

但請不要用這種方式。改爲使用parameterized queries。這種字符串連接對於SQL Injection攻擊是開放的。

還使用參數化查詢可提高可讀性。

例如;

string sql = @"Update Profile Set studName=@studName,gender=@gender,email=@email, birthdate=@birthdate, contact=@contact 
       where userid=@userid"; 
SqlCommand cmd =new SqlCommand(sql, con); 
cmd.Parameters.AddWithValue("@studName", studName); 
cmd.Parameters.AddWithValue("@gender", gender); 
cmd.Parameters.AddWithValue("@email", email); 
cmd.Parameters.AddWithValue("@birthdate", birthdate); 
cmd.Parameters.AddWithValue("@contact", contact); 
cmd.Parameters.AddWithValue("@userid", userid); 
cmd.ExecuteNonQuery();