我在 C# 代码中添加多行 SQL 代码,如下所示:
sqlCode = @"SELECT
w.objectID,
w.attr1397 'LastName',
w.attr1395 'FirstName',
w.attr1396 'MiddleName',
w.attr1404 'Gender',
w.attr1436 'OtherName',
convert(varchar,w.attr1402, 101) 'DOB' ,
w.attr1401 'SSN',
d.employmentStatus
FROM [db].[table] w left outer join
(
WHERE w.attr1397 = '" + k + "'
AND
w.attr1395 = c
AND
w.attr1401 = s
ORDER BY 4, 2, 3";
k
, c
,和s
是我想要使用的函数中的变量,这就是发生的情况:
如何解决?
最佳答案
您应该使用参数化查询作为第一步,以使您的代码安全可靠。
但你的错误是由 @char 前缀的逐字字符串中断引起的
sqlCode = @"SELECT
w.objectID,
w.attr1397 'LastName',
w.attr1395 'FirstName',
w.attr1396 'MiddleName',
w.attr1404 'Gender',
w.attr1436 'OtherName',
convert(varchar,w.attr1402, 101) 'DOB' ,
w.attr1401 'SSN',
d.employmentStatus
FROM [db].[table] w left outer join
(
WHERE w.attr1397 = '" + k + "'" +
" AND w.attr1395 = " + c +
" AND w.attr1401 = " + s +
" ORDER BY 4, 2, 3";
正如我所说,建议使用参数而不是字符串连接
sqlCode = @"SELECT
w.objectID,
w.attr1397 'LastName',
w.attr1395 'FirstName',
w.attr1396 'MiddleName',
w.attr1404 'Gender',
w.attr1436 'OtherName',
convert(varchar,w.attr1402, 101) 'DOB' ,
w.attr1401 'SSN',
d.employmentStatus
FROM [db].[table] w left outer join
(
WHERE w.attr1397 = @k
AND w.attr1395 = @c
AND w.attr1401 = @s
ORDER BY 4, 2, 3";
SqlCommand cmd = new SqlCommand(sqlCode, connection);
cmd.Parameters.AddWithValue("@k", k);
.....
关于c# - 如何在 C# 中的 SQL 查询中包含变量,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/24700131/