[英]Incorrect syntax near ',' error in asp.net?
这是我在Asp.Net和C#中的代码。 我正在尝试从2小时内找出此错误,但找不到。
任何帮助都将受到赞赏。
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data.SqlClient;
using System.Data;
public partial class Result : System.Web.UI.Page
{
SqlConnection con;
SqlCommand cmd;
SqlDataReader dr;
string city1, area1, type1, min, max;
int id;
protected void Page_Load(object sender, EventArgs e)
{
city1 = Request.QueryString["city"];
area1 = Request.QueryString["area"];
// type1 = Request.QueryString["propertytype"];
type1= "1bhk";
min = Request.QueryString["minprice"];
max = Request.QueryString["maxprice"];
// id = Convert.ToInt32(Request.QueryString["uid"]);
id = 1;
con = new SqlConnection("integrated security=true; database=data1; server=sudhir-pc");
con.Open();
cmd = new SqlCommand("select price,area,imagename,users_id from property where city='"+city1+"', area='"+area1+"', propertytype='"+type1+"', users_id="+id+"", con);
// cmd1 = new SqlCommand("select frstname,laststname,contactno from users where users_id='"+id+"'", con);
dr = cmd.ExecuteReader();
while (dr.Read())
{
Label1.Text = (string)dr["price"];
string area = (string)dr["area"];
string image = (string)dr["imagename"];
int id1 = (int)dr["users_id"];
}
}
}
错误行是dr=cmd.executereader();
。 相同查询在sql服务器上运行。 这种错误可以合乎逻辑吗?
在命令中用和替换逗号 。
cmd = new SqlCommand("select price,area,imagename,users_id from property where city='"+city1+"', area='"+area1+"', propertytype='"+type1+"', users_id="+id+"", con);
会成为
cmd = new SqlCommand("select price,area,imagename,users_id from property where city='"+city1+"' and area='"+area1+"' and propertytype='"+type1+"' and users_id="+id+"", con);
一部分是,这不是您应该如何做的方式。 您应该始终使用Paremeterized查询。 您可以在这里和这里阅读该书的优点。
您必须使用, and
在条件不是逗号的情况下使用
您正处于SQL注入攻击中 ..始终使用参数化查询
cmd = new SqlCommand("select price,area,imagename,users_id from property where
city=@city1 and area=@area1 and
propertytype=@type1 and users_id=@id", con);
cmd.Parameters.AddWithValue("@city1",city1);
cmd.Parameters.AddWithValue("@area1",area1);
cmd.Parameters.AddWithValue("@type1",type1);
cmd.Parameters.AddWithValue("@id",id);
dr = cmd.ExecuteReader();
您可以尝试以下方法:
cmd = new SqlCommand("select price,area,imagename,users_id from property where city=@city and area=@area and propertytype=@proprtytype and users_id=@userid ", con);
cmd.Parameters.AddWithValue("@city", city1);
cmd.Parameters.AddWithValue("@area", area1);
cmd.Parameters.AddWithValue("@propertytype", type1);
cmd.Parameters.AddWithValue("@userid", id);
// cmd1 = new SqlCommand("select frstname,laststname,contactno from users where users_id='"+id+"'", con);
dr = cmd.ExecuteReader();
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.