[英]Making search in C# but it doesn't work in text searching
I am faced with a problem that I searched in google but I don't find my answer. 我遇到了我在Google中搜索过的问题,但找不到答案。 I want to make search in windows form in C# but it working just in numeric value and my project is in Persian so I need to search by nvarchar value, so it doesn't work.
我想用C#在Windows窗体中进行搜索,但它仅在数字值中起作用,而我的项目在波斯语中,因此我需要按nvarchar值进行搜索,因此它不起作用。 Please help me.
请帮我。
Here is my code: it messages this (Incorrect syntax near '=') 这是我的代码:通知此消息(“ =”附近的语法不正确)
SqlDataAdapter da = new SqlDataAdapter( @"SELECT Dmokalafiat, Dihteyat FROM Armyservices where Ename = "+ txtsearch.Text,db.con);
DataTable dt = new DataTable();
da.Fill(dt);
if (dt.Rows.Count > 0)
{
Textbox1.Text = dt.Rows[0]["Dmokalafiat"].ToString();
Textbox2.Text = dt.Rows[0]["Dihteyat"].ToString();
}
i think it is because of SQL Injection attacks. 我认为这是由于SQL注入攻击。 you can make it like this sample code:
您可以像下面的示例代码所示:
using(var con = new SqlConnection(...))
{
var cmd = new SqlCommand("select Dmokalafiat, Dihteyat from Armyservices where Ename = @Ename ", con);
con.Open();
cmd.Parameters.AddWithValue("@Ename ", txtsearch.Text);
var da = new SqlDataAdapter(cmd);
var dt = new DataTable();
da.Fill(dt);
if (dt.Rows.Count > 0)
{
Textbox1.Text = dt.Rows[0]["Dmokalafiat"].ToString();
Textbox2.Text = dt.Rows[0]["Dihteyat"].ToString();
}
}
There are several problems in your example; 您的示例中有几个问题。
SqlDataAdapter da = new SqlDataAdapter( @"SELECT Dmokalafiat, Dihteyat FROM Armyservices where Ename = "+ txtsearch.Text,db.con);
Should at least be 至少应该是
SqlDataAdapter da = new SqlDataAdapter( @"SELECT Dmokalafiat, Dihteyat FROM Armyservices where Ename = '"+ txtsearch.Text + "'",db.con);
However this is not really good practise and you should use named parameters instead of concatenated values - but thats a different question. 但是,这并不是真正的好习惯,您应该使用命名参数而不是串联值-但这是另一个问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.