奇怪的查詢。從其他表中獲取ID

Question

我想要的：我想把作者ID，但我只有作者的名字。來自表格作者。那麼我怎麼能得到作者身份證，在這個查詢下面？

INSERT INTO book (title, isbn, author_id) VALUES('" + BookTitle.Text.ToString() + "', '" + BookIsbn.Text.ToString() + "', '(SELECT id FROM author WHERE first_name = '" + BookAuthor.Text.ToString() + "')')"; 

錯誤：

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Marijn')')' at line 1 

我希望我清楚我想要什麼。

謝謝！

Answer 1

Here you have to have function fn_getID(fname) which will return id. 

"INSERT INTO book (title, isbn, author_id) 
VALUES('" + BookTitle.Text.ToString() + "', '" + BookIsbn.Text.ToString() + "'"+fn_getID(BookAuthor.Text.ToString())) 

Answer 2

你不應該把第二個SELECT語句放在單引號中（MySQL把它解釋爲一個字符串）。

"INSERT INTO book (title, isbn, author_id) 
VALUES ('" + BookTitle.Text.ToString() + "', '" + BookIsbn.Text.ToString() + "', 
    (SELECT id FROM author WHERE first_name = '" + BookAuthor.Text.ToString() + "'))" 

PS請注意，將數據插入數據庫的方法使其非常容易受到注入攻擊。

Answer 3

您當前的查詢爲很可能容易受到sql注入的影響。最好的方法是使用參數化查詢，使用SQLCommand and its parameters。我認爲這是更好地利用ADO.Net

string query = "INSERT INTO book (title, isbn, authorID) 
       SELECT @title as title, 
         @isbn AS isbn, 
         id as authorID 
       FROM author 
       WHERE first_name = @author"; 

using (MySqlConnection conn = new MySqlConnection("connectionstringHere")) 
{ 
    using (MySqlCommand comm = new MySqlCommand()) 
    { 
     comm.Connection = conn; 
     comm.CommandType = CommandType.Text; 
     comm.CommandText = query; 
     comm.Parameters.AddWithValue("@title", BookTitle.Text.ToString()); 
     comm.Parameters.AddWithValue("@isbn", BookIsbn.Text.ToString()); 
     comm.Parameters.AddWithValue("@author", BookAuthor.Text.ToString()); 
     try 
     { 
      conn.Open(); 
      comm.ExecuteNonQuery; 
     } 
     catch (MySqlException ex) 
     { 
      // error here 
     } 
     finally 
     { 
      conn.Close(); 
     } 
    } 
}