使用 SQLCommand 在 C# 中进行 SQL 多行查询
[英]SQL Multi line query in C# using SQLCommand
问题描述
I want to load specific data from different tables in SQL Server using C# But i got an error Incorrect syntax near the keyword 'as'. Incorrect syntax near 'EP'. Incorrect syntax near the keyword 'AND'.
我想使用 C# 从 SQL Server 中的不同表加载特定数据,但Incorrect syntax near the keyword 'as'. Incorrect syntax near 'EP'. Incorrect syntax near the keyword 'AND'.出现Incorrect syntax near the keyword 'as'. Incorrect syntax near 'EP'. Incorrect syntax near the keyword 'AND'.错误Incorrect syntax near the keyword 'as'. Incorrect syntax near 'EP'. Incorrect syntax near the keyword 'AND'. Incorrect syntax near the keyword 'as'. Incorrect syntax near 'EP'. Incorrect syntax near the keyword 'AND'. The code run well as i have put a messageBox to show the query, a messageBox popsup and show full query but after that i have got an error as i have mentioned above Here is the Code代码运行良好,因为我已经放置了一个 messageBox 来显示查询,弹出一个 messageBox 并显示完整的查询,但之后我遇到了上面提到的错误 这是代码
private void FillGridView()
{
CS = ConfigurationManager.ConnectionStrings["HRMSConnectionString"].ConnectionString;
using (SqlConnection con = new SqlConnection(CS))
{ SqlCommand cmd = new SqlCommand(query, con);
con.Open();
SqlDataAdapter ad = new SqlDataAdapter(cmd);
ad.Fill(dt);
gvShowAllData.DataSource = dt;
}
}
Here is the Query这是查询
string query = @"Select 'ACTIVE POSTING' as POSTING,e.emp_id,e.emp_name,e.emp_fathername,e.emp_nic,e.emp_contact" +
",D.desig_id,D.desig_name" +
"from EMP_Master as e,EMP_Posting_Log as p,EMP_Designation AS D" +
"where e.emp_id=p.emp_id" +
"AND P.desg_id=D.desig_id" +
"and p.status='ACTIVE'" +
"AND E.emp_name LIKE '%" + tbSearchName.Text + "%'" +
"UNION" +
"Select 'INACTIVE POSTING' as POSTING,e.emp_id,e.emp_name,e.emp_fathername,e.emp_nic,e.emp_contact" +
",NULL,NULL" +
"from EMP_Master as e" +
"WHERE E.emp_id IN (SELECT DISTINCT EP.emp_id FROM EMP_Posting_Log AS EP" +
"WHERE EP.status='INACTIVE')" +
"AND E.emp_name LIKE '%" + tbSearchName.Text + "%'" +
"UNION" +
"Select 'NOT POSTING' as POSTING,e.emp_id,e.emp_name,e.emp_fathername,e.emp_nic,e.emp_contact" +
",NULL,NULL" +
"from EMP_Master as e" +
"WHERE E.emp_id NOT IN (SELECT DISTINCT EP1.emp_id FROM EMP_Posting_Log AS EP1)" +
"AND E.emp_name LIKE '%" + tbSearchName.Text + "%'";
3 个解决方案
解决方案1
9 2016-11-08 15:28:27
You need spaces between your string parts.您的字符串部分之间需要空格。 You are expecting the concatenation to create new lines but the reality is that is not how it works.您期望串联创建新行,但实际情况并非如此。 If you want a new line or a space between strings you need to add that in the string.如果您想要一个新行或字符串之间的空格,则需要将其添加到字符串中。
The more important issue is that your query is vulnerable to sql injection attacks.更重要的问题是您的查询容易受到 sql 注入攻击。 You should always use parameters for user input.您应该始终为用户输入使用参数。
string query = @"Select 'ACTIVE POSTING' as POSTING,e.emp_id,e.emp_name,e.emp_fathername,e.emp_nic,e.emp_contact,D.desig_id,D.desig_name
from EMP_Master as e,EMP_Posting_Log as p,EMP_Designation AS D
where e.emp_id=p.emp_id
AND P.desg_id=D.desig_id
and p.status='ACTIVE'
AND E.emp_name LIKE @tbSearchName
UNION
Select 'INACTIVE POSTING' as POSTING,e.emp_id,e.emp_name,e.emp_fathername,e.emp_nic,e.emp_contact,NULL,NULL
from EMP_Master as e
WHERE E.emp_id IN (SELECT DISTINCT EP.emp_id FROM EMP_Posting_Log AS EP
WHERE EP.status='INACTIVE')
AND E.emp_name LIKE @tbSearchName
UNION
Select 'NOT POSTING' as POSTING,e.emp_id,e.emp_name,e.emp_fathername,e.emp_nic,e.emp_contact,NULL,NULL
from EMP_Master as e
WHERE E.emp_id NOT IN (SELECT DISTINCT EP1.emp_id FROM EMP_Posting_Log AS EP1)
AND E.emp_name LIKE @tbSearchName";
as for adding a parameter:至于添加参数:
cmd.Parameters.Add(new SqlParameter("@tbSearchName", SqlDbType.VarChar) {Value = "%" + tbSearchName.Text + "%"});
解决方案2
3 2016-11-08 15:27:27
Your problems are because of the concatenation of strings.你的问题是因为字符串的串联。 You can write strings on multiple lines without using + when you start your string with @当您以@开头的字符串时,您可以在不使用+情况下在多行上编写字符串
string query = @"
Select 'ACTIVE POSTING' as POSTING, e.emp_id, e.emp_name,
e.emp_fathername, e.emp_nic, e.emp_contact, D.desig_id, D.desig_name
//and so on continue with your query
";
Also look into SqlCommand.Parameters to prevent your code from sql injection.还要查看SqlCommand.Parameters以防止您的代码被 sql 注入。
解决方案3
3 已采纳 2016-11-08 15:35:19
although it appears 'in lines' in your code, you are just making one big line of SQL and your spaces are incorrect - you could try something like尽管它在您的代码中出现在“行”中,但您只是在制作一大行 SQL 并且您的空格不正确-您可以尝试类似的方法
System.Text.StringBuilder sb = new System.Text.StringBuilder();
sb.AppendLine(@"Select 'ACTIVE POSTING' as POSTING,e.emp_id,e.emp_name,e.emp_fathername,e.emp_nic,e.emp_contact");
sb.AppendLine(@",D.desig_id,D.desig_name");
sb.AppendLine(@"from EMP_Master as e,EMP_Posting_Log as p,EMP_Designation AS D");
sb.AppendLine(@"where e.emp_id=p.emp_id");
sb.AppendLine(@"AND P.desg_id=D.desig_id");
sb.AppendLine(@"and p.status='ACTIVE'");
sb.AppendLine("AND E.emp_name LIKE '%" + tbSearchName.Text.Replace(@"'",@"''") + "%'"); //escape single quote to avoid SQL injection attack
//....and so on with the rest of your lines
string query = sb.ToString();
//then as before
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.