DataRow row = this.OrderGoodsDetails.Rows[i];
_detailSql += string.Format(@"INSERT INTO OrderOds_Detail(OrdersNumber,ProductsID,ProductsName,ProductsColor,ProcductsPrint,NUM,PRICE,SUM,REMARK,Operator,Changed_Date,Is_USED,Version) VALUES('{0}',{1},'{2}','{3}','{4}',{5},{6},{7},'{8}',{9},getdate(),'1',0);",ordersnumber,row["ProductsID"],row["ProductsType"],row["ProductsColor"],ProcductsPrint,row["NUM"],row["PRICE"],row["SUM"],row["REMARK"],UserId);//ordersnumber为正常赋值
异常详细信息: System.Data.SqlClient.SqlException: ',' 附近有语法错误。源错误:
行 367: + _detailSql + " end;";
行 368: }
行 369: DBclass.ExecSql(sql);
行 370: Response.Redirect("OrderManage.aspx");
行 371: }
再有,编写sql语句最好参数化,这样防止注入攻击。