C#中的MSSQL查询,从字符串获取WHERE子句的一部分
[英]MSSQL query in C#, Geting part of WHERE clause from a string
问题描述
I am using following code: 
我正在使用以下代码:
string str = "ID = 15";
using (SqlCommand cmd = new SqlCommand("SELECT * " +
"FROM Cutomer" +
" Where (Status='Umbruch') and '"+str+"' " , con))
I am getting this error: 我收到此错误:
near 'ID = 15' is a non boolean expression specified in a context where a condition is expected.
I know I can use the above code like this: 我知道我可以像这样使用上面的代码:
int id = 15;
using (SqlCommand cmd = new SqlCommand("SELECT * " +
"FROM Cutomer" +
" Where (Status='Umbruch') and (ID='"+str+"')" , con))
It works fine like this but I want to use it as mentioned in first code above. 这样工作正常,但我想按上面第一个代码中所述使用它。 Because the number of IDs is not fixed they can be 2,3 or more. 由于ID的数量不是固定的,因此可以为2,3或更大。 Just for simplicity I put my code here like this. 为了简单起见,我将代码放在这里。
3 个解决方案
解决方案1
1 2013-12-17 15:20:54
The first version should be (from your second "working" query, you need simple quotes around 15, not around the entire expression). 第一个版本应该是(从第二个“有效”查询中,您需要在15附近加上简单的引号,而不是整个表达式周围)。
str = "ID = '15'";
using (SqlCommand cmd = new SqlCommand("SELECT * " +
"FROM Cutomer" +
" Where (Status='Umbruch') and "+str , con))
By the way, you should user Parameters, not direct strings. 顺便说一句,您应该使用参数,而不是直接字符串。
If you need an IN clause, you may look at that question 如果您需要一个IN子句,则可以查看该问题
解决方案2
1 2013-12-17 15:21:02
A simple error, do not put single quotes before and after the string 一个简单的错误,不要在字符串前后加上单引号
using (SqlCommand cmd = new SqlCommand("SELECT * FROM Cutomer " +
"WHERE (Status='Umbruch') AND " + str , con))
of course this assumes that your ID field is numeric and not a text field. 当然,这假定您的ID字段是数字字段而不是文本字段。
In the latter case you should put the single quotes around the 15 constant 在后一种情况下,您应该将单引号放在15个常数周围
string str = "ID = '15'";
As a side note, keep in mind that string concatenation is really dangerous because your code could be exploited with a simple Sql Injection attack. 附带说明一下,请记住,字符串连接确实很危险,因为可以通过简单的Sql Injection攻击来利用您的代码。 In this very specific case there is no possibility for injection. 在这种非常特殊的情况下,不可能进行注射。
If you receive the ID to search for from a user input, do not use string concatenation to build sql commands. 如果您从用户输入中收到要搜索的ID,请不要使用字符串串联来构建sql命令。 Instead use a parameterized query 而是使用参数化查询
using (SqlCommand cmd = new SqlCommand("SELECT * FROM Cutomer " +
" Where (Status='Umbruch') and ID=@custID" , con))
{
cmd.Parameters.AddWithValue("@custID", 15);
......
}
解决方案3
0 已采纳 2013-12-17 15:20:40
You're making it a literal here: 您在这里将其设为文字:
using (SqlCommand cmd = new SqlCommand("SELECT * " +
"FROM Cutomer" +
" Where (Status='Umbruch') and '"+str+"' " , con))
It should be: 它应该是:
using (SqlCommand cmd = new SqlCommand("SELECT * " +
"FROM Cutomer" +
" Where (Status='Umbruch') and "+str, con))
Note the slight difference in which the ' were removed. 请注意,删除了'的细微差别。
Further, please read through my blog post on why you're open to SQL injection and why you need to leverage parameterized SQL instead of raw SQL. 此外,请阅读我的博客文章 ,了解为什么您愿意接受SQL注入以及为什么需要利用参数化SQL而不是原始SQL。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.