通过复选框列表在VB.net中创建SQL查询

Question

I have a checkboxlist and I populate it dynamically from a database. 我有一个清单，并从数据库中动态填充它。 For example after i populate the checkboxlist is like that: 例如，在我填充复选框后，就像这样：

Los Angeles 洛杉矶
New York 纽约
London 伦敦
Berlin 柏林
Amsterdam 阿姆斯特丹

I want to create a SQL query according to the checkboxes are checked. 我想根据选中的复选框创建一个SQL查询。 If i want to choose only one city (eg only New York) i want the result to be: 如果我只选择一个城市（例如，仅纽约），我希望结果是：

(City = 2) （城市= 2）

Thats works properly but when i have multiple cities (eg New York, London and Amsterdam) i want the result to be for example: 那可以正常工作，但是当我有多个城市（例如纽约，伦敦和阿姆斯特丹）时，我希望结果例如：

(City = 2) OR (City = 3) OR (City = 5) （城市= 2）或（城市= 3）或（城市= 5）

Or if i choose Los Angeles and Berlin I want the result to be like this: 或者，如果我选择洛杉矶和柏林，我希望结果是这样的：

(City = 1) OR (City = 4) （城市= 1）或（城市= 4）

How can i achieve this? 我怎样才能做到这一点？ That's my code below but I am stacked. 那是我下面的代码，但我被堆积了。 Any ideas? 有任何想法吗？

Protected Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click
    Dim var As String = ""
    Dim counter As Integer = 0
    Dim myList As New List(Of String)()
    For i As Integer = 0 To CheckBoxList1.Items.Count - 1
        If CheckBoxList1.Items(i).Selected Then
            myList.Add(i + 1)
            counter = counter + 1
            If counter = 1 Then
                var = "(City =" & i + 1 & ")"
            Else
                Console.WriteLine(myList(1))
                Dim myArray As String() = myList.ToArray()
                For j As Integer = 1 To myArray.Length
                    Dim var2 As String = " OR (City =" & counter & ")"
                    var = "(City =" & myArray(0) & ")" & var2
                Next
            End If
        End If
    Next
    SQL = "SELECT * FROM Data1 WHERE (" & var & ") ORDER BY [ID]"
    Session("Search") = SQL
    Server.Transfer("Data_Form.aspx")
End Sub

Answer 1

What I recommend most strongly is to look into Table-value Parameters: 我最强烈建议您查看表值参数：

http://msdn.microsoft.com/en-us/library/bb675163(v=vs.110).aspx http://msdn.microsoft.com/en-us/library/bb675163(v=vs.110).aspx

This will fix your issue and help you avoid sql injection vulnerabilities. 这将解决您的问题并帮助您避免sql注入漏洞。

But if you really insist on using string concatenation, try using an IN() condition, where you end up with something more like CITY IN (1,2) instead of (City = 1 OR City = 2) . 但是，如果您确实坚持使用字符串连接，请尝试使用IN()条件，在此条件下最终会出现类似CITY IN (1,2)而不是(City = 1 OR City = 2) 。 You can make this a bit easier to write by leading with an unused ID, like so: 您可以通过使用未使用的ID来使其更容易编写，如下所示：

Dim cityClause As String = " CITY IN (-1{0})" 'start with a valid clause
Dim cityIDs As String = ""
For Each box As ListItem In CheckBoxList1.Items.Where(Function(b) b.Selected)
     'Try storing the ID for each city in the value part of each listitem,
     ' rather than using the index order 
     cityIDs = cityIDs & "," & box.Value
Next box
cityClause = string.Format(cityClause, cityIDs)

Answer 2

You can use City IN(2,3,5) instead of (City = 2) OR (City = 3) OR (City = 5) : 您可以使用City IN(2,3,5)代替(City = 2) OR (City = 3) OR (City = 5) ：

Protected Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click
    Dim condition As String = ""
    For i As Integer = 0 To CheckBoxList1.Items.Count - 1
        If CheckBoxList1.Items(i).Selected Then
            condition = condition & "," & (i + 1)
        End If
    Next
    SQL = "SELECT * FROM Data1 WHERE (" & condition.SubString(1) & ") ORDER BY [ID]"
    Session("Search") = SQL
    Server.Transfer("Data_Form.aspx")
End Sub

通过复选框列表在VB.net中创建SQL查询

问题描述

2 个解决方案

解决方案1
2 2014-04-04 18:07:28

解决方案2
1 已采纳 2014-04-04 18:14:01

通过复选框列表在VB.net中创建SQL查询

问题描述

2 个解决方案

解决方案1 2 2014-04-04 18:07:28

解决方案2 1 已采纳 2014-04-04 18:14:01

解决方案1
2 2014-04-04 18:07:28

解决方案2
1 已采纳 2014-04-04 18:14:01