How do I write an SQL query in c# to find DateTime?
Question
So I am creating a search function within my windows form that will allow the user to search for records based on what they have entered into the textbox. I have working code for finding records based off of every filter but the DateTime one. for example:
if (customerID_rb.Checked == true)
{
sqlQuery = "SELECT CustomerID, CustomerName, Telephone, DateAndTime, Status, Description from Calls WHERE CustomerID = " + item;
//'item' is the text in the textbox
UsingCommand(conn, table, sqlQuery);
return table;
}
private static void UsingCommand(SqlConnection conn, DataTable table, string sqlQuery)
{
using (SqlCommand cmd = new SqlCommand(sqlQuery, conn))
{
using (SqlDataAdapter da = new SqlDataAdapter(cmd))
da.Fill(table);
}
}
This will show the records containing the user entered text in the CustomerID column.
However I cannot quite figure out how to do the same but for DateTime. I know that in SQL you type 'WHERE 'DateTime = ...' but no matter how I try to reword the query string I just cannot get it to work.
The error I am getting is : 'SqlException was unhandled: An expression of non-boolean type specified in a context where a condition is expected, near 'DateAndTime'.
Code:
sqlQuery = "SELECT CustomerID, CustomerName, Telephone, DateAndTime, Status, Description from Calls WHERE DateTime DateAndTime = '" + item +"'";
I have tried with and without the DateTime and in multiple different orders, if anyone can help me with this it would be greatly appreciated!
Thanks
Edit:
Ok... I messed up a little. I wrongly assumed you would need the DateTime. However, I may have been thrown off into thinking that because I get thrown an exception if I input the date and time wrong. Thanks! :)
3 answers
solution1
0 2014-04-26 00:26:21
You should never concatenate parameters into a SQL string.
It leaves you vulnerable to SQL injection attacks .
It creates performance problems, as each unique value will create a new SQL query, having a different hash for the query, which defeats the execution-plan caching mechanism of the query engine.
For date values, the ordering of y/m/d, d/m/y, or m/d/y string formats can be different depending on the current culture settings, the OS globalization settings, and the database server's globalization settings. If they're not all in sync, then you could end up with random weirdness like mistaking January 3rd for March 1st.
Instead, you should always parameterize your queries! The query gets a placeholder for the value, and then you add the value using a separate parameter. I'm not going to give you an example here, as it takes very little time to search for this on your own and there have already been hundreds of posts on this here on SO
solution2
-1 ACCPTED 2014-04-25 10:29:22
您无需指定数据类型DateTime ,只需使用列名写查询即可,例如
sqlQuery = "SELECT CustomerID, CustomerName, Telephone, DateAndTime, Status, Description from Calls WHERE columnname = '" + item +"'";
solution3
-1 2014-04-25 10:30:52
Generally speaking, best would be to add sql parameters, but in string format:
" ... WHERE DateAndTime = '" + item.ToString("yyyyMMdd") +"'"
The yyyyMMdd should be safe to use in all cultures. The above is assuming, you have to search a date, not including time. Mostly times are only searched on with greater or smaller than. Additional, if the date field itself contains time, and you only want to search the date:
".... WHERE cast(DateAndTime as date) = '" + item.ToString("yyyyMMdd") +"'"
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.