c# - SQL 语法错误

Question

当我尝试使用表单插入数据时，它会抛出异常(e1)“发生错误，请重试”您的sql语法中有错误，请检查与您的Mysql服务器版本相对应的手册，以在附近使用正确的语法"在第 1 行
请帮忙纠正这个错误

StringBuilder query = new StringBuilder();
query.Append("Insert Into my_project_data.vehicle(ChassyNumber ,ManufacturedYear, EngineCapacity,Price,Features ,VehicleBrand , VehicleType) Values('" + chassy_txt.Text + "','"+manufac_year_txt.Text+"','"+Engine_Capasity_txt.Text+"','"+Price_txt.Text+"','"+Features_rich_txt.Text+"',");

Classes.DB_Connectivity db = new Classes.DB_Connectivity();

try
{
    db.openConnection();

        if ((radioButton1.Checked || radioButton2.Checked) && (radioButton7.Checked || radioButton11.Checked) && ( manufac_year_txt.Text != "" && Engine_Capasity_txt.Text != "" && Price_txt.Text != "" && Features_rich_txt.Text != ""))
        {


            if (radioButton1.Checked)
            {
                query.Append("BMW ,");

            }
            if (radioButton2.Checked) 
            {
                query.Append("Benz , ");
            }
            if (radioButton7.Checked)
            {
                query.Append("Car ,");
            }
            if (radioButton11.Checked)
            {
                query.Append("SUV ,");
            }

           if ( manufac_year_txt.Text != "" && Engine_Capasity_txt.Text != "" && Price_txt.Text != "" && Features_rich_txt.Text != "")
           { 
               query.Append(" '"+manufac_year_txt.Text+"', '"+Engine_Capasity_txt.Text+"','"+Price_txt.Text+"','"+Features_rich_txt.Text+"'");
            }

            MySqlCommand cmd = new MySqlCommand(query.ToString(), db.conn);
            cmd.ExecuteNonQuery();


            MessageBox.Show(" Vehicle Registration Successfull ", "Information", MessageBoxButtons.OK, MessageBoxIcon.Information);


        }
        else
        {
            MessageBox.Show("Fill All Required Information ", "Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
        }

}
catch (Exception e1)
{
    MessageBox.Show("Error Occured Please Try Again "  +e1.Message,"Error",MessageBoxButtons.OK,MessageBoxIcon.Error);
}

Answer 1

您可能在行尾遗漏了一个撇号(以粗体添加):

query.Append("Insert Into my_project_data.vehicle(ChassyNumber ,ManufacturedYear, EngineCapacity,Price,Features ,VehicleBrand , VehicleType) Values('" + chassy_txt.Text + "','"+manufac_year_txt.Text+"','"+Engine_Capasity_txt.Text+"','"+Price_txt.Text+"','"+Features_rich_txt.Text+"',");

应为 '"+Features_rich_txt.Text+"','"); 你有: '"+Features_rich_txt.Text+"',");

此外，您还需要在汽车型号后添加撇号: 喜欢: query.Append("宝马',"); 等等。

另请考虑上述有关 SQL 注入(inject)的评论之一。