“系统”附近语法不正确。系统“：字符串“”附近有语法错误

Question

using System; 
using System.Collections.Generic; 
using System.Linq; 
using System.Web; 
using System.Web.UI; 
using System.Web.UI.WebControls; 
using System.Data; 
using System.Data.SqlClient; 
using System.Configuration; 

public partial class Editprofile : System.Web.UI.Page 
{ 
    protected void Page_Load(object sender, EventArgs e) 
    { 
     if (!IsPostBack) 
     { 
      SqlConnection con = new SqlConnection(); 
      con.ConnectionString = ConfigurationManager.ConnectionStrings["ProfileCS"].ConnectionString; 

      string sql = "select userid from Profile"; 
      SqlCommand cmd = new SqlCommand(); 
      SqlDataReader dr; 
      DataTable dt = new DataTable(); 

      cmd.CommandText = sql; 
      cmd.Connection = con; 

      con.Open(); 
      dr = cmd.ExecuteReader(); 
      dt.Load(dr); 
      ddl_userid.DataSource = dt; 
      ddl_userid.DataTextField = "userid"; 
      ddl_userid.DataValueField = "userid"; 
      ddl_userid.DataBind(); 
     } 
    } 
    protected void ddl_userid_SelectedIndexChanged(object sender, EventArgs e) 
    { 

     SqlConnection con = new SqlConnection(); 
     con.ConnectionString = ConfigurationManager.ConnectionStrings["ProfileCS"].ConnectionString; 

     string sql = "Select studname,gender,email,birthdate,contact from profile where userid='" + ddl_userid.SelectedValue + "'"; 
     SqlCommand cmd = new SqlCommand(); 
     SqlDataReader dr; 
     DataTable dt = new DataTable(); 

     cmd.CommandText = sql; 
     cmd.Connection = con; 

     con.Open(); 
     dr = cmd.ExecuteReader(); 

     dt.Load(dr); 

     tb_studname.Text = dt.Rows[0]["studname"].ToString(); 
     tb_gender.Text = dt.Rows[0]["gender"].ToString(); 
     tb_email.Text = dt.Rows[0]["email"].ToString(); 
     tb_age.Text = dt.Rows[0]["birthdate"].ToString(); 
     tb_contact.Text = dt.Rows[0]["contact"].ToString(); 
     Session["dt"] = dt; 
    } 
    protected void bn_reset_Click(object sender, EventArgs e) 
    { 
     DataTable dt = (DataTable)Session["dt"]; 
     tb_studname.Text = dt.Rows[0]["studname"].ToString(); 
     tb_gender.Text = dt.Rows[0]["gender"].ToString(); 
     tb_email.Text = dt.Rows[0]["email"].ToString(); 
     tb_age.Text = dt.Rows[0]["birthdate"].ToString(); 
     tb_contact.Text = dt.Rows[0]["contact"].ToString(); 

    } 
    protected void bn_update_Click(object sender, EventArgs e) 
    { 
     SqlConnection con = new SqlConnection(); 
     con.ConnectionString = ConfigurationManager.ConnectionStrings["ProfileCS"].ConnectionString; 

     String name = tb_studname.Text; 
     String gender = tb_gender.Text; 
     String email = tb_email.Text; 
     String age = tb_age.Text; 
     String contact = tb_contact.Text; 

     string sql="Update Profile Set studName='"+name+"',gender='"+gender+"',email='"+email+"',birthdate='"+age+"',contact='"+contact; 
     sql=sql +"where userid='"+ddl_userid+"'"; 

     SqlCommand cmd =new SqlCommand(); 
     cmd.CommandText=sql; 
     cmd.Connection=con; 
     try 
     { 
      con.Open(); 
      cmd.ExecuteNonQuery(); 
      lbl_msg.Text="Record Updated!"; 
     } 
     catch(Exception ex) 
     { 
      lbl_msg.Text="Problem encountered:"+ex.Message; 

     } 
     finally 
     { 
      con.Close(); 
      con.Dispose(); 
      cmd.Dispose(); 
     } 


    } 
} 

当我加载页面的复位按钮作品嗨，大家好预期，但是当我尝试这样 问题遇到发生更新信息按钮错误消息”后闭合的引号。字符串“”

Answer 1

错误后未闭合的引号是在更新语句

string sql="Update Profile Set studName='"+name+"',gender='"+gender+"',email='"+ 
      email+"',birthdate='"+age+"',contact='"+contact +"'"; 

说，你应该删除所有这些字符串连接，并使用参数化查询缺少结束引号

有太多的点来解决，我只是显示一个建议修复的更新

string sql="Update Profile Set studName=@name,gender=@gender,email=@email," + 
      "birthdate=@age,contact=@contact where userid=@uid"; 

    SqlCommand cmd =new SqlCommand(); 
    cmd.CommandText = sql; 
    cmd.Parameters.AddWithValue("@name",name); 
    cmd.Parameters.AddWithValue("@gender",gender); 
    cmd.Parameters.AddWithValue("@email",email); 
    cmd.Parameters.AddWithValue("@age",age); 
    cmd.Parameters.AddWithValue("@contact",contact); 
    cmd.Parameters.AddWithValue("@uid",ddl_userid); 
    cmd.ExecuteNonQuery(); 

这样你的命令字符串是更具可读性和你避免微妙的引用错误。
此外，引用您的参数的工作被传递给框架代码，并且不存在SQL注入的可能性。

Answer 2

问题与以下行：

string sql="Update Profile Set studName='"+name+"',gender='"+gender+"',email='"+email+"',birthdate='"+age+"',contact='"+contact; 

你需要完成的字符串如下：看，我编辑的语句结束。

string sql="Update Profile Set studName='"+name+"',gender='"+gender+"',email='"+email+"',birthdate='"+age+"',contact='"+contact +"' "; 

注：我建议你，你应该使用，而不是进行直接的字符串参数化查询。

Answer 3

变化：

string sql="Update Profile Set studName='"+name+"',gender='"+gender+"',email='"+email+"',birthdate='"+age+"',contact='"+contact; 

要：

string sql="Update Profile Set studName='"+name+"',gender='"+gender+"',email='"+email+"',birthdate='"+age+"',contact='"+contact + "' "; 

缺少接触后的单引号。然后，您需要一个空间，以便添加Where子句的下一行工作。

Answer 4

我觉得这一行的问题;

string sql="Update Profile Set studName='"+name+"',gender='"+gender+"',email='"+email+"',birthdate='"+age+"', 
contact='"+contact; 
       ^^ here missing '" 
sql=sql +"where userid='"+ddl_userid+"'"; 

但请不要用这种方式。改为使用parameterized queries。这种字符串连接对于SQL Injection攻击是开放的。

还使用参数化查询可提高可读性。

例如;

string sql = @"Update Profile Set studName=@studName,gender=@gender,email=@email, birthdate=@birthdate, contact=@contact 
       where userid=@userid"; 
SqlCommand cmd =new SqlCommand(sql, con); 
cmd.Parameters.AddWithValue("@studName", studName); 
cmd.Parameters.AddWithValue("@gender", gender); 
cmd.Parameters.AddWithValue("@email", email); 
cmd.Parameters.AddWithValue("@birthdate", birthdate); 
cmd.Parameters.AddWithValue("@contact", contact); 
cmd.Parameters.AddWithValue("@userid", userid); 
cmd.ExecuteNonQuery();