我正在尝试构建一个使用 SQL 查询来帮助填充各种下拉列表并在 GridView 中显示结果的 Web 表单,我目前遇到的问题是获取用户输入来替换 SQL 查询中的变量。
我的查询如下:
SELECT TOP 50
'Select' AS 'Select',
id_ref AS 'Number',
created_date AS 'Date Created',
address 'Address',
category AS 'Category',
borough
FROM Events
WHERE location_address LIKE '%%'
AND borough @borcond
AND admin_ref @stacond
AND id_ref @Numcond
AND category @cat
AND created_date @startDate
AND created_date @endDate
AND address LIKE @Addresscond
ORDER BY id_todays_date DESC
我的C#代码如下:
public void SQLQueryv2(
string AddressSel,
string startDateSel,
string endDateSel,
string incidentSel,
string borsel,
string stasel,
string numsel)
{
//this is filled in really
SqlConnection Connection = new SqlConnection(
"Data Source=;Initial Catalog=;User=;Password=;");
string sqlquery = <<as above>>
try
{
SqlCommand Command = new SqlCommand(sqlquery, Connection);
Connection.Open();
if (borsel == "Select Borough")
{
Command.Parameters.AddWithValue("@borcond", " = IS NOT NULL ");
}
else
{
Command.Parameters.AddWithValue("@borcond","= " + "'" + borsel + "'");
}
if (stasel == "Select Town")
{
Command.Parameters.AddWithValue("@stacond", " = IS NOT NULL ");
}
else
{
Command.Parameters.AddWithValue("@borcond","= "+ "'" + borsel + "'");
}
if (startDateSel == "")
{
Command.Parameters.AddWithValue("@startDate", " = IS NOT NULL");
}
else
{
Command.Parameters.AddWithValue(
"@startDate",
">= CONVERT(datetime," + "'" + startDateSel + "'" + ",103)");
}
if (endDateSel == "")
{
Command.Parameters.AddWithValue("@endDate", " = IS NOT NULL");
}
else
{
Command.Parameters.AddWithValue(
"@endDate",
">= CONVERT(datetime," + "'" + endDateSel + "'" + ",103)");
}
if (incidentSel == "Select Category")
{
Command.Parameters.AddWithValue(
"@cat",
" in ('cat a','cat b','cat c')");
}
else
{
Command.Parameters.AddWithValue(
"@cat",
" AND category =" + "'" + incidentSel + "'");
}
if (AddressSel == "")
{
Command.Parameters.AddWithValue("@Addresscond", "%%");
}
else
{
Command.Parameters.AddWithValue("@Addresscond","%" + AddressSel + "%");
}
if (numsel == "")
{
Command.Parameters.AddWithValue("@Numcond", " = IS NOT NULL ");
}
else
{
Command.Parameters.AddWithValue("@Numcond", "= " + "'" + numsel + "'");
}
//use adapter to populate dataset...
SqlDataAdapter DataAdapter = new SqlDataAdapter(sqlquery, Connection);
DataTable DataTable = new DataTable();
DataAdapter.SelectCommand = Command;
DataAdapter.Fill(DataTable);
//then bind dataset to the gridview
GridView1.AutoGenerateColumns = true;
GridView1.DataSource = DataTable;
GridView1.DataBind();
lblResults.Visible = true;
lblResults.ForeColor = System.Drawing.Color.Green;
lblResults.Text = "Your search has returned "
+ Dataset.Tables[0].Select(
"'Incident Number' IS NOT NULL").Length.ToString()
+ " records.";
}
catch (Exception err)
{
lblResults.Visible = true;
lblResults.ForeColor = System.Drawing.Color.Red;
lblResults.Text =
"An error has occurred loading data into the table view. ";
lblResults.Text += err.Message;
}
}
运行时,Gridview 不会填充,并且查询(在调查时)它仍然具有变量,而不是“为空”或用户输入。
我认为 IF 语句与此有关,但我完全确定。我想我只是需要另一双眼睛来关注这个问题,任何帮助将不胜感激。
更多信息: 如果我取出 sqlCommand 位,它可以与 IF 语句完美配合,我试图阻止人们使用恶意 SQL 查询。
最佳答案
这确实不是使用参数的正确方法。您应该只为它们赋值,而不是添加比较运算符。以下是如何“修复”@borcond 参数的查询
...
AND ((@borcond = 'Select Borough' AND borough IS NOT NULL)
OR borough = @borcond)
...
注意:您不需要使用等号 IS NOT NULL
并将 if-else 替换为
Command.Parameters.AddWithValue("@borcond", borsel);
您需要对所有参数进行类似的更改。这里的技巧基本上是将 if-else 逻辑从代码移动到 sql 查询中。
此外,我认为您不需要在查询中使用location_address LIKE '%%',因为它只匹配所有内容。
关于c# - SqlCommand AddWithValue 和 if 语句与 gridview 相关,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/26846263/