[英]Can't read data from SQL Server using ADO.NET connected architecture
The problem occurs when I try to read data from a local database using SqlDataReader
and insert data into a ListBox
. 当我尝试使用SqlDataReader
从本地数据库读取数据并将数据插入ListBox
。 I can't get any results, even though I should. 即使可以,我也无法获得任何结果。 The thing is when I run ingilizceSorgusu
in SSMS, it works fine, I can retrieve the data into result table. 问题是,当我在SSMS中运行ingilizceSorgusu
时,它工作正常,我可以将数据检索到结果表中。 I think there is something that I'm missing about SqlDataReader
. 我认为SqlDataReader
我缺少一些东西。
This is my code: 这是我的代码:
public partial class Arama : Form
{
#region Nesneler
SqlCommand Sorgu;
SqlConnection Baglanti;
SqlDataReader Okuyucu;
IEnumerator Numarala;
string baglantiCumlesi = @"Server = ABRA\VERITABANIM;Initial Catalog = Sozluk; Integrated Security = True";
string ingilizceSorgusu = "SELECT [KA].[Anlam] " +
"FROM [KelimeAnlam] [KA] " +
"LEFT OUTER JOIN [IngKelimeler] [IK] ON [KA].[KelimeID] = [IK].[ID] " +
"WHERE [IK].[Kelime] LIKE '@deger%'";
string turkceSorgusu = "SELECT [IK].[Kelime] " +
"FROM [IngKelimeler] [IK] " +
"LEFT OUTER JOIN [KelimeAnlam] [KA] ON [KA].[KelimeID] = [IK].[ID] " +
"WHERE [KA].[Anlam] LIKE '@deger%'";
#endregion
#region Metotlar
public Arama()
{
InitializeComponent();
ingilizceSecim.Select();
Baglanti = new SqlConnection(baglantiCumlesi);
Duzenle();
}
private void Duzenle()
{
kelimeGiris.Select();
kelimeGiris.SelectionStart = 0;
sonucListe.Items.Clear();
}
private void Cikis_Click(object sender, EventArgs e)
{
this.Close();
}
#endregion
#region Giriş alanı
private void KayitIsle(object sender, EventArgs e)
{
string girdi;
#region İngilizce seçim
if (ingilizceSecim.Checked)
{
#region Sorgu alanı
#region Girdi kontrol
if (!kelimeGiris.Text.Equals(String.Empty))
girdi = kelimeGiris.Text.ToLower();
else
{
MessageBox.
Show("Lütfen İngilizce kelime alanını boş bırakmayınız.",
"Boş alan",
MessageBoxButtons.OK,
MessageBoxIcon.Error);
Duzenle();
return;
}
#endregion
#region Bağlantı
Baglanti.Open();
#region Sorgu
using (Sorgu = new SqlCommand(ingilizceSorgusu, Baglanti))
{
Sorgu.Parameters.AddWithValue("@deger", girdi);
Sorgu.CommandType = CommandType.Text;
Okuyucu = Sorgu.ExecuteReader();
// Can't retrieve data into ListBox here
while (Okuyucu.Read())
sonucListe.Items.Add(Okuyucu["Anlam"].ToString());
Okuyucu.Close();
}
#endregion
Baglanti.Close();
#endregion
#endregion
return;
}
#endregion
#region Türkçe seçim
if (turkceSecim.Checked)
{
#region Sorgu alanı
if (!kelimeGiris.Text.Equals(String.Empty))
girdi = kelimeGiris.Text.ToLower();
else
{
MessageBox.Show("Lütfen Türkçe kelime alanını boş bırakmayınız.",
"Boş alan",
MessageBoxButtons.OK,
MessageBoxIcon.Error,
MessageBoxDefaultButton.Button1,
MessageBoxOptions.ServiceNotification);
Duzenle();
return;
}
#region Bağlantı
using (Baglanti = new SqlConnection(baglantiCumlesi))
{
Baglanti.Open();
#region Sorgu
using (Sorgu = new SqlCommand(turkceSorgusu, Baglanti))
{
Sorgu.Parameters.AddWithValue("@deger", girdi);
#region Sonuç aktarma
using (Okuyucu = Sorgu.ExecuteReader())
{
}
#endregion
}
#endregion
Baglanti.Close();
}
#endregion
#endregion
return;
}
#endregion
}
#endregion
#region Dil tercih değişim
private void ingilizceSecim_CheckedChanged(object sender, EventArgs e)
{
kelimeBaslik.Text = "İngilizce";
anlamBaslik.Text = "Türkçe";
}
private void turkceSecim_CheckedChanged(object sender, EventArgs e)
{
kelimeBaslik.Text = "Türkçe";
anlamBaslik.Text = "İngilizce";
}
#endregion
}
}
This has nothing to do with ADO.NET. 这与ADO.NET无关。 That query wouldn't return any results if it was executed in SSMS either. 如果该查询在SSMS中执行,也不会返回任何结果。 That's because LIKE '@deger%'
searches for a string that starts with the characters @deger
. 这是因为LIKE '@deger%'
搜索以字符@deger
开头的字符串。
Query parameters are like function parameters - they aren't injected into the query string, they are passed to the compiled query as ... values. 查询参数就像函数参数一样-它们不会注入查询字符串中,而是作为...值传递给编译后的查询。 When a client executes a query with parameters, those are sent outside the query. 当客户端使用参数执行查询时,这些参数将发送到查询之外 。 That's why parameterized queries aren't vulnerable to SQL injection - the values are never part of the query. 这就是为什么参数化查询不容易受到SQL注入的影响-值永远都不是查询的一部分。 (Unless the developer goes out of his way to reintroduce that risk). (除非开发人员竭尽全力重新引入这种风险)。
In SSMS or a stored procedure the correct query would look like this : 在SSMS或存储过程中,正确的查询如下所示:
define @deger varchar(20)='whatever%'
SELECT [KA].[Anlam]
FROM [KelimeAnlam] [KA]
LEFT OUTER JOIN [IngKelimeler] [IK] ON [KA].[KelimeID] = [IK].[ID]
WHERE [IK].[Kelime] LIKE @deger
or 要么
define @deger varchar(20)='whatever'
SELECT [KA].[Anlam]
FROM [KelimeAnlam] [KA]
LEFT OUTER JOIN [IngKelimeler] [IK] ON [KA].[KelimeID] = [IK].[ID]
WHERE [IK].[Kelime] LIKE @deger + '%'
The query string would have to use one of these forms too, eg: 查询字符串也必须使用以下形式之一,例如:
var ingilizceSorgusu = "SELECT [KA].[Anlam] " +
"FROM [KelimeAnlam] [KA] " +
"LEFT OUTER JOIN [IngKelimeler] [IK] ON [KA].[KelimeID] = [IK].[ID] " +
"WHERE [IK].[Kelime] LIKE @deger + '%'";
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.