[英]Using a Loop to add varying parameters to an SQL Query
So, I am trying to using conditional statements and check boxes on a form in c# to conditionally build a MySQL SQL query. 因此,我试图在C#中的表单上使用条件语句和复选框来有条件地构建MySQL SQL查询。 I don't see many topics on it so either I am doing something wrong (quite possible), or I am missing something simple.
我看不到很多话题,所以我做错了(很可能),或者我错过了一些简单的事情。 Either way, I have hit a wall and could use some help.
无论哪种方式,我都碰壁了,可以使用一些帮助。
Here is the scenario: I am trying to make a search form in c# for my MySQL database, and depending upon which options the user selects depends on how granular the search is. 这是场景:我正在尝试在c#中为我的MySQL数据库创建一个搜索表单,并且取决于用户选择的选项取决于搜索的粒度。
So basically it looks like this: 所以基本上看起来像这样:
/*Obviously sanitized
the variable areas*/
string exportQuery = "SELECT * FROM `/*Schema*/`.`/*Table*/` WHERE `/*PK*/`=";
List<string> parameters = new List<string>();
List<string> fields = new List<string>();
List<string> placeholders = new List<string>();
DataTable exportTemp;
int v = 0;
and at each point below that, it goes through a check like this: 并在其下的每个点进行如下检查:
if (/*ACheckBox*/.Checked == true)
{
v++;
/*String variable I initialized earlier*/ = DateTimePickerOnForm.Value.ToString("yyyy-MM-dd");
parameters.Add(/*String variable I initialized earlier*/);
fields.Add("AND `/*FieldX*/`=@/*FieldVar*/ ");
placeholders.Add("@/*FieldVar*/");
}
and at the end it counts them all up and starts adding: 最后,它们全部累加并开始添加:
if (v > 0)
{
//Build the custom Query
foreach (string s in fields)
{
exportQuery += s;
}
//tack on the closing semicolon
exportQuery += ";";
Program.conn.Open();
using (MySqlCommand data = new MySqlCommand(exportQuery, Program.conn))
{
data.Prepare();
for (int f = 0; f < v; f++)
{
data.Parameters.AddWithValue("\"" + placeholders[f] + "\"", parameters[f]);
}
//Datatable prep
exportTemp = Program.FillTable(data);/*this runs the query through the database*/
}
However, I am getting undefined variable errors back (eg "field1 must be defined"). 但是,我又收到了未定义的变量错误(例如,“必须定义field1”)。 Now some quick notes for clarification.
现在,一些简短的说明需要澄清。
• Where its throwing the error is in the first variable added with the loop. •引发错误的地方是循环添加的第一个变量。
• All areas where I just put a comment are sanitized, but when its used again I repeat the comment name. •我刚刚发表评论的所有区域均已清除,但再次使用时,我会重复评论名称。
• If I shouldn't be using this method, I am open to other methods. •如果我不应该使用此方法,则可以使用其他方法。
Edit: • the first parameter I am trying to pass is a string the snippet of a datetime area was chosen for its simplicity to demonstrate my methodology. 编辑:•我要传递的第一个参数是一个字符串,为便于说明我的方法,选择了日期时间区域的代码段。
Any help is appreciated, obviously trying to sanitize my inputs, but I am not sure what I am doing wrong. 感谢您提供任何帮助,显然是要清理输入内容,但我不确定自己做错了什么。
Change: 更改:
data.Parameters.AddWithValue("\"" + placeholders[f] + "\"", parameters[f]);
to: 至:
data.Parameters.AddWithValue(placeholders[f], parameters[f]);
placeholders[f]
contains @/*FieldVar*/
, which is the parameter name that AddWithValue
is expecting. placeholders[f]
包含@/*FieldVar*/
,这是AddWithValue
期望的参数名称。 If you surround it with extra double quotes, you end up trying to use a parameter named "@/*FieldVar*/"
, which doesn't match your SQL query and causes the "field1 must be defined" error. 如果用多余的双引号引起来,则最终将尝试使用名为
"@/*FieldVar*/"
的参数,该参数与SQL查询不匹配,并导致“必须定义field1”错误。
If you have a column of DATE or DATETIME in the MySQL table, you must pass a parameter value of System.DateTime
type, not a string with a formatted date. 如果MySQL表中有DATE或DATETIME列,则必须传递
System.DateTime
类型的参数值,而不是带有格式化日期的字符串。
List<object> parameters = new List<object>();
...
parameters.Add(fieldVar, DateTimePickerOnForm.Value);
...
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.