SQL DATEDIFF 函数返回错误值

Question

Im executing following sql statement to get the sum values using date difference as a condition. "t_QueryDemand" is the table name and "DESIRED_SHIP_DATE" is the value I compare with current system date. But, I always get a date difference higher than 44100, even though the actual difference is between 0-60. DESIRED_SHIP_DATE data type is datetime2(7). I'm using MS SQL server database. What could be the issue.

Dim curDate As Date = Date.Today()

Dim strSql7DayDemand As date= "SELECT SUM(ORDER_QTY) AS ORDQTY, (TOTAL_SHIPPED_QTY) AS SHIPQTY, DATEDIFF(day," & curDate & ",DESIRED_SHIP_DATE),DESIRED_SHIP_DATE as DIFF from t_QueryDemand where ID='" & Trim(txtPartID.Text) & "' AND DATEDIFF(DAY," & curDate & ",DESIRED_SHIP_DATE) >" & 

Answer 1

Instead of using a injection use the SQL function GETDATE()

DATEDIFF(day,GETDATE(),DESIRED_SHIP_DATE)

This will calculate the date on the server instead of locally like you are currently doing.

As has been pointed out you have a serious security vulnerability -- you need to use parameterized queries and not string concatenation or you are vulnerable to an SQL injection attack.

It will also make your code more robust -- right now you have txtPartID.Text and you are just putting that into your query but what if someone enters an non-number in this field -- you have no way of catching that now. With a parameterized query of a numeric type you would catch this problem when you converted the data entry to a number.