无法从数据集中检索特定项目
[英]Can't retrieve a specific item from a dataset
问题描述
I've looked through the other questions related to this, but I'm having a different issue.
我已经查看了与此相关的其他问题,但我遇到了不同的问题。 I can't get a specific item to return, it only returns my column name.我无法返回特定项目,它只返回我的列名。 How do I get the item to return?我如何获得退货?
public static string GetOneFieldRecord(string field, string companyNum)
{
DataSet ds = new DataSet();
SqlCommand comm = new SqlCommand();
string strSQL = "SELECT @FieldName FROM Companies WHERE CompanyNum = @CompanyNum";
SqlConnection conn = new SqlConnection();
conn.ConnectionString = @connstring;
comm.Connection = conn;
comm.CommandText = strSQL;
comm.Parameters.AddWithValue("@FieldName", field);
comm.Parameters.AddWithValue("@CompanyNum", companyNum);
SqlDataAdapter da = new SqlDataAdapter();
da.SelectCommand = comm;
conn.Open();
da.Fill(ds, "CompanyInfo");
conn.Close();
return ds.Tables[0].Rows[0].ItemArray[0].ToString();
}
I've also tried我也试过
return ds.Tables[0].Rows[0][0].ToString();
I'm just getting whatever is in the field variable.我只是得到字段变量中的任何内容。 If I pass in ("CompanyName", 33), it returns "CompanyName".如果我传入 ("CompanyName", 33),它将返回"CompanyName"。
1 个解决方案
解决方案1
3 已采纳 2012-11-17 18:47:13
Your query (in sql profiler) is您的查询(在 sql 探查器中)是
SELECT 'CompanyName' FROM Сompanies WHERE СompanyNum = 33
So it returns exactly "CompanyName" string.所以它准确地返回“CompanyName”字符串。 You cannot pass column name as sqlparameter.您不能将列名作为 sqlparameter 传递。 You should do something like你应该做类似的事情
public static string GetOneFieldRecord(string field, string companyNum)
{
DataSet ds = new DataSet();
SqlCommand comm = new SqlCommand();
string strSQL = string.Format("SELECT {0} FROM Companies WHERE CompanyNum = @CompanyNum", field);
SqlConnection conn = new SqlConnection();
conn.ConnectionString = @connstring;
comm.Connection = conn;
comm.CommandText = strSQL;
comm.Parameters.AddWithValue("@FieldName", field);
comm.Parameters.AddWithValue("@CompanyNum", companyNum);
SqlDataAdapter da = new SqlDataAdapter();
da.SelectCommand = comm;
conn.Open();
da.Fill(ds, "CompanyInfo");
conn.Close();
return ds.Tables[0].Rows[0].ItemArray[0].ToString();
}
But this code can be used for SQL injection.但是这段代码可以用于SQL注入。
To avoid Sql injection, you could check that fieldName in field variable is one of the table columns.为避免 Sql 注入,您可以检查 field 变量中的 fieldName 是否是表列之一。
Or You could get SELECT * FROM Сompanies WHERE СompanyNum = @CompanyNum and get value of named column from datatable:或者你可以得到 SELECT * FROM Сompanies WHERE СompanyNum = @CompanyNum 并从数据表中获取命名列的值:
public static string GetOneFieldRecord(string field, string companyNum)
{
DataSet ds = new DataSet();
SqlCommand comm = new SqlCommand();
string strSQL = "SELECT * FROM Companies WHERE CompanyNum = @CompanyNum";
SqlConnection conn = new SqlConnection();
conn.ConnectionString = @connstring;
comm.Connection = conn;
comm.CommandText = strSQL;
comm.Parameters.AddWithValue("@FieldName", field);
comm.Parameters.AddWithValue("@CompanyNum", companyNum);
SqlDataAdapter da = new SqlDataAdapter();
da.SelectCommand = comm;
conn.Open();
da.Fill(ds, "CompanyInfo");
conn.Close();
return ds.Tables[0].Rows[0][field].ToString();
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.