SQL INSERT - Invalid column name

2019-02-26 20:03发布

站内问答 / C#
812 6 5

As some of you may of seen from my previous post I'm new to using C# to create websites (Although I have a fair bit of experience using it for Windows Forms apps). The powers that be are tempting me away from PHP but I keep failing at what I consider the basics.

Anyway, this is my issue. I am trying to create a simple entry into a SQL database. I know my connection to the DB is fine as I can reel off SELECT queries all day long but I'm having trouble with using Insert.

Heres my code:

string filename = "abc123.jpg";
SqlConnection link = new SqlConnection(//you dont need to see my data here ;));
string sqlcode = "INSERT INTO file_uploads (upload_filename VALUES ("+filename+")";
SqlCommand sql = new SqlCommand(sqlcode,link);
link.open();
sql.ExecuteNonQuery();

This results in "Invalid column name abc123.jpg" returned from the try/catch.

Any help would be appreciated. (I wish they would let me do this in PHP lol!)

Thanks,

Tripbrock

标签: c# sql insert
举报
6条回答
看我几分像从前
2楼-- · 2019-02-26 20:15

Don't know if it is a typo but the line should be:

string sqlcode = "INSERT INTO file_uploads (upload_filename) VALUES ('"+filename+"')";

Notice the ) after upload_filename.

Also also added the single quotes around the filename.

But you probably want to use a parameterized query:

string sqlcode = "INSERT INTO file_uploads (upload_filename) VALUES (@filename)";

Then use command.Parameters to add the actual value.

查看更多
0人赞 添加讨论(0) 举报
闹够了就滚
3楼-- · 2019-02-26 20:18

You are missing a parenthesis after the column name and the value represents a string and as such must be enclosed in quotes:

string sqlcode = "INSERT INTO file_uploads (upload_filename) " + 
                 "VALUES ('"+filename+"')";

However, the correct way would be to use a parameterized query:

string filename = "abc123.jpg";
SqlConnection link = new SqlConnection(/*you dont need to see my data here ;)*/);
string sqlcode = "INSERT INTO file_uploads (upload_filename) VALUES (@filename)";
SqlCommand sql = new SqlCommand(sqlcode,link);
sql.Parameters.AddWithValue("@filename", filename);
link.open();
sql.ExecuteNonQuery();
查看更多
0人赞 添加讨论(0) 举报
够拽才男人
4楼-- · 2019-02-26 20:20

your SQL is bad formatted. Try this :

string sqlcode = "INSERT INTO file_uploads (upload_filename) VALUES ('"+filename+"')";

Where upload_filename is a name of the column

查看更多
0人赞 添加讨论(0) 举报
淡お忘
5楼-- · 2019-02-26 20:22

Really you should be parameterising your queries - this reduces the risk of injection attacks:

string filename = "abc123.jpg";
using( SqlConnection link = new SqlConnection(/*...*/;)) )
{
    // sql statement with parameter
    string sqlcode = "INSERT INTO file_uploads (upload_filename) VALUES (@filename)";
    using( SqlCommand sql = new SqlCommand(sqlcode,link) )
    {
        // add filename parameter
        sql.Parameters.AddWithValue("filename", filename);
        link.open();
        sql.ExecuteNonQuery();
    }
}

Also note the using statements - these make sure that the connection and command objects are disposed of.

查看更多
0人赞 添加讨论(0) 举报
Viruses.
6楼-- · 2019-02-26 20:31

looks like you are missing a bracket:

string sqlcode = "INSERT INTO file_uploads (upload_filename VALUES ("+filename+")";

Should be

string sqlcode = "INSERT INTO file_uploads (upload_filename) VALUES ('"+filename+"')";

Also, to avoid SQL injection attacks you can use the SQLCommand objects like so.

using (SQLCommand oSQLCommand = new SQLCommand("INSERT INTO file_uploads (upload_filename) VALUES ( @FileName )")
{
oSQLCommand.Parameters.AddWithValue("@FileName", filename);

oSQLCommand.ExecuteNonQuery();
}
查看更多
0人赞 添加讨论(0) 举报
时光不老,我们不散
7楼-- · 2019-02-26 20:39

Try

string sqlcode = "INSERT INTO file_uploads (upload_filename) VALUES ('"+filename+"')";

You were missing a closing parentheses.

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(5)