{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 女痞 的问题《Incorrect syntax near '<'. The label &#》','https://www.manongdao.com/q-901531.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I am getting a string from a database that is in xml format and trying to update the xml with the following query:
ExecuteNonQuery("Update Logs SET Message = " + encryptedMessage + " WHERE ID = " + message.Id);
but it gives me the error message:
Incorrect syntax near '<'.
The label 'xmlns' has already been declared. Label names must be unique within a query batch or stored procedure.
An object or column name is missing or empty. For SELECT INTO statements, verify each column has a name. For other statements, look for empty alias names. Aliases defined as "" or [] are not allowed. Change the alias to a valid name.
An object or column name is missing or empty. For SELECT INTO statements, verify each column has a name. For other statements, look for empty alias names. Aliases defined as "" or [] are not allowed. Change the alias to a valid name.
An object or column name is missing or empty. For SELECT INTO statements, verify each column has a name. For other statements, look for empty alias names. Aliases defined as "" or [] are not allowed. Change the alias to a valid name.
An object or column name is missing or empty. For SELECT INTO statements, verify each column has a name. For other statements, look for empty alias names. Aliases defined as "" or [] are not allowed. Change the alias to a valid name.
An object or column name is missing or empty. For SELECT INTO statements, verify each column has a name. For other statements, look for empty alias names. Aliases defined as "" or [] are not allowed. Change the alias to a valid name.
I have a feeling it might have something to do with the quotes, but I am not sure. I have tried different options like single quotes, mixture,etc.
For example, if I do:
ExecuteNonQuery("Update Logs SET Message = " + encryptedMessage.Replace('"','\'')+ " WHERE ID = " + message.Id);
Would this permanently update the double quotes in the message to single quotes. I don't want to do this.
Use parametrized query and command object instead, your encryptedMessage might contain characters which break the syntax of your UPDATE statement.
Yes, it looks like you are missing the quotes around the message:
The XML itself probably has single quotes in it as well, so you may need to escape those (e.g. change one single quote to two single quotes inside the message)
As @Tomek mentioned you should use parameterized queries. It is more secure and removes the need for doing the conversions suggested in @Dan Sueava's answer.