关键字'add'附近的语法不正确

我在学校有一个项目，而且我需要将我的注册页面与数据库连接起来。我有这样的代码：关键字'add'附近的语法不正确

if (Request.Form["submit"] != null) 
{ 
    string fName = Request.Form["fName"]; 
    string lName = Request.Form["lName"]; 
    string Passwod = Request.Form["Passwod"]; 
    string email = Request.Form["email"]; 
    string add = Request.Form["add"]; 

    string RegStatus; 

    if ((fName == "") || (lName == "") || (Passwod == "") || (email == "") || (add == "")) 
    { 
     RegStatus = ("missing data or wrong data"); 
    } 
    else 
    { 
     string selectQuery = "SELECT * FROM " + "[Users]"; 
     selectQuery += " WHERE "; 
     selectQuery += " email = '" + Request.Form["email"] + "'"; 

     if (MyAdoHelper.IsExist(selectQuery)) 
     { 
      RegStatus = ("email does not exists"); 
     } 
     else 
     { 
      string insertQuery = "INSERT INTO [Users] (fName,lName,Passwod, email,add) VALUES ('"; 
      insertQuery += fName + "', '" + lName +"','" + Passwod + "', '" + email + "','" + add +"')"; 
      Response.Write(insertQuery); 
      MyAdoHelper.DoQuery(insertQuery); 
      RegStatus = ("Registeration was successful "); 
     } 
    } 

    Response.Write(RegStatus); 
    Response.End(); 
}

填充数据（运行后）我得到的错误是：

System.Data.SqlClient.SqlException: Incorrect syntax near the keyword 'add'.

源错误：

public static void DoQuery(string sql) 
    { 
     SqlConnection conn = ConnectToDb(); 
     conn.Open(); 
     SqlCommand com = new SqlCommand(sql, conn); 
     com.ExecuteNonQuery(); //* it says the error is in this line. //* 
     com.Dispose(); 
     conn.Close(); 
    }

来源

2017-06-13 Nyrre

如果你正在学习SQL，学会用参数化查询。不要查询字符串。这只会导致语法错误和SQL注入漏洞。 –

add是SQL关键字。如果你有一个字段命名为这样你必须使用括号：

INSERT INTO [Users] (fName,lName,Passwod, email,[add]) VALUES...

此外，如已经评论，使用参数，而不是字符串连接是非常重要的：

来源

2017-06-13 12:02:51 apomene

ty man。完美地工作！ – Nyrre

关键字'add'附近的语法不正确

回答

相关问题