[英]MSSQL query in C#, Geting part of WHERE clause from a string
I am using following code: 我正在使用以下代码:
string str = "ID = 15";
using (SqlCommand cmd = new SqlCommand("SELECT * " +
"FROM Cutomer" +
" Where (Status='Umbruch') and '"+str+"' " , con))
I am getting this error: 我收到此错误:
near 'ID = 15' is a non boolean expression specified in a context where a condition is expected.
I know I can use the above code like this: 我知道我可以像这样使用上面的代码:
int id = 15;
using (SqlCommand cmd = new SqlCommand("SELECT * " +
"FROM Cutomer" +
" Where (Status='Umbruch') and (ID='"+str+"')" , con))
It works fine like this but I want to use it as mentioned in first code above. 这样工作正常,但我想按上面第一个代码中所述使用它。 Because the number of IDs is not fixed they can be 2,3 or more.
由于ID的数量不是固定的,因此可以为2,3或更大。 Just for simplicity I put my code here like this.
为了简单起见,我将代码放在这里。
The first version should be (from your second "working" query, you need simple quotes around 15, not around the entire expression). 第一个版本应该是(从第二个“有效”查询中,您需要在15附近加上简单的引号,而不是整个表达式周围)。
str = "ID = '15'";
using (SqlCommand cmd = new SqlCommand("SELECT * " +
"FROM Cutomer" +
" Where (Status='Umbruch') and "+str , con))
By the way, you should user Parameters, not direct strings. 顺便说一句,您应该使用参数,而不是直接字符串。
If you need an IN clause, you may look at that question 如果您需要一个IN子句,则可以查看该问题
A simple error, do not put single quotes before and after the string 一个简单的错误,不要在字符串前后加上单引号
using (SqlCommand cmd = new SqlCommand("SELECT * FROM Cutomer " +
"WHERE (Status='Umbruch') AND " + str , con))
of course this assumes that your ID field is numeric and not a text field. 当然,这假定您的ID字段是数字字段而不是文本字段。
In the latter case you should put the single quotes around the 15 constant 在后一种情况下,您应该将单引号放在15个常数周围
string str = "ID = '15'";
As a side note, keep in mind that string concatenation is really dangerous because your code could be exploited with a simple Sql Injection attack. 附带说明一下,请记住,字符串连接确实很危险,因为可以通过简单的Sql Injection攻击来利用您的代码。 In this very specific case there is no possibility for injection.
在这种非常特殊的情况下,不可能进行注射。
If you receive the ID to search for from a user input, do not use string concatenation to build sql commands. 如果您从用户输入中收到要搜索的ID,请不要使用字符串串联来构建sql命令。 Instead use a parameterized query
而是使用参数化查询
using (SqlCommand cmd = new SqlCommand("SELECT * FROM Cutomer " +
" Where (Status='Umbruch') and ID=@custID" , con))
{
cmd.Parameters.AddWithValue("@custID", 15);
......
}
You're making it a literal here: 您在这里将其设为文字:
using (SqlCommand cmd = new SqlCommand("SELECT * " +
"FROM Cutomer" +
" Where (Status='Umbruch') and '"+str+"' " , con))
It should be: 它应该是:
using (SqlCommand cmd = new SqlCommand("SELECT * " +
"FROM Cutomer" +
" Where (Status='Umbruch') and "+str, con))
Note the slight difference in which the '
were removed. 请注意,删除了
'
的细微差别。
Further, please read through my blog post on why you're open to SQL injection and why you need to leverage parameterized SQL instead of raw SQL. 此外,请阅读我的博客文章 ,了解为什么您愿意接受SQL注入以及为什么需要利用参数化SQL而不是原始SQL。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.