堆棧內存溢出
  簡體   English   中英

如何將.aspx頁中的參數值傳遞給Sql Query?

[英]How to pass parameter value In .aspx page to Sql Query?

 原文  2018-03-19 10:06:37       c#/ asp.net/ parameters/ webforms/ aspx-user-control

問題描述

我在ASP.NET C#源代碼中工作,因為我有一個過程可以從ASPX頁面傳遞參數值。

在下面的代碼中,我需要通過ASP.NET控件傳遞a.cYearAssignedDate

注意:我不使用.aspx.cs頁面,而是在.aspx頁面中創建此代碼。

我在.aspx.cs頁中這樣傳遞, 

    bolMachineStatus.cyear = Request.Cookies["BCookies"]["SessionFinancialYear"];
    bolMachineStatus.AssignedDate = Calendar2.SelectedDate.ToString();

這是完整的源代碼,在此我直接傳遞了值, 

<script runat="server">
    protected void Calendar2_SelectionChanged(object sender, System.EventArgs e)
    {
        SqlConnection strConn = new SqlConnection(ConfigurationManager.ConnectionStrings["BConnection"].ToString());            
        SqlDataAdapter da = new SqlDataAdapter();
        SqlCommand cmd = new SqlCommand();
        DataSet ds = new DataSet();
        strConn.Open();

        cmd.CommandText = @"CREATE TABLE #PendingMachineStatus(cMBrnCode NVARCHAR(2),cMBrnName NVARCHAR(25),
                    cYear NVARCHAR(4),nCallNo INT,Date Datetime)
                    INSERT INTO #PendingMachineStatus
                    select c.cMBrnCode,c.cMBrnName,b.cYear,b.nCallNo,
                    MAX(b.StatusDate) as Date
                    from SvCallHead a
                    INNER JOIN MachineStatus b on a.cYear = b.cYear AND a.nCallNo = b.nCallNo
                    INNER JOIN SvMainBrn c on a.cMBrnCode=c.cMBrnCode
                    where b.cYear='**2017**'
                    and a.cCallSuff = 'A' AND a.cCallEnd = 'N' AND  a.cServType = 'A'
                    AND a.cStatFlg  <> 'C'
                    GROUP BY c.cMBrnCode,c.cMBrnName,b.cYear,b.nCallNo

                    CREATE TABLE #MachineStatus(cMBrnCode NVARCHAR(7),cMBrnName NVARCHAR(100),cYear NVARCHAR(4),nCallNo INT,
                    MainStatus varchar(10),Status varchar(10),cSvPrCode NVARCHAR(10),AssignedDate Datetime,
                    IsSMS BIT)
                    INSERT INTO #MachineStatus
                    SELECT a.cMBrnCode,a.cMBrnName,a.cYear,a.nCallNo,b.MainStatus,b.MachineStatus,b.cSvPrCode,b.AssignedDate,b.IsSMS
                    FROM #PendingMachineStatus a
                    INNER JOIN MachineStatus b ON a.nCallNo=b.nCallNo AND a.Date=b.StatusDate

                    select COUNT(*) AS Count,
                    CASE d.cSvPrCode
                    WHEN '0' THEN NULL
                    ELSE d.cSvPrCode
                    END cSvPrCode,
                    CASE d.AssignedDate
                    WHEN '1900-01-01 00:00:00.000' THEN NULL
                    ELSE d.AssignedDate
                    END AS AssignedDate,
                    DAY(d.AssignedDate) AS Day,
                    MONTH(d.AssignedDate) AS Month,
                    f.cSvPrName
                    from SvCallHead a
                    INNER JOIN SvMainBrn b on a.cMBrnCode=b.cMBrnCode
                    LEFT JOIN SvDelrMast c on a.cDelrCode=c.cDelrCode
                    LEFT JOIN #MachineStatus d on a.cYear=d.cYear and a.nCallNo=d.nCallNo
                    LEFT JOIN SvSvPrMast f on d.cSvPrCode=f.cSvPrCode
                    where a.cYear='**2017**' and **d.AssignedDate='2018/03/15'** and a.cCallSuff = 'A' AND a.cCallEnd= 'N'
                    AND a.cServType= 'A' AND a.cStatFlg<> 'C' AND f.cSvPrName<>'NULL'
                    group by d.cSvPrCode,d.AssignedDate,f.cSvPrName
                    order by AssignedDate asc

                    drop table #PendingMachineStatus
                    drop table #MachineStatus";
        da = new SqlDataAdapter(cmd.CommandText, strConn);
        da.Fill(ds);
        strConn.Close();
        if (ds.Tables[0].Rows.Count == 0)
        {
            DataGrid1.Visible = false;
        }
        else
        {
            DataGrid1.Visible = true;
            DataGrid1.DataSource = ds.Tables[0];
            DataGrid1.DataBind();
        }
    }
</script>

3 個解決方案

解決方案1
 0  2018-03-19 11:29:31

如果將其放在存儲過程中並對其進行參數化,那將更好。 現在,您可以查看string.Format以傳遞值。

就像是: 

           var str = string.Format(@"CREATE TABLE #PendingMachineStatus(cMBrnCode NVARCHAR(2),cMBrnName NVARCHAR(25),
                cYear NVARCHAR(4),nCallNo INT,Date Datetime)
                INSERT INTO #PendingMachineStatus
                select c.cMBrnCode,c.cMBrnName,b.cYear,b.nCallNo,
                MAX(b.StatusDate) as Date
                from SvCallHead a
                INNER JOIN MachineStatus b on a.cYear = b.cYear AND a.nCallNo = b.nCallNo
                INNER JOIN SvMainBrn c on a.cMBrnCode=c.cMBrnCode
                where b.cYear={0}
                and a.cCallSuff = 'A' AND a.cCallEnd = 'N' AND  a.cServType = 'A'
                AND a.cStatFlg  <> 'C'
                GROUP BY c.cMBrnCode,c.cMBrnName,b.cYear,b.nCallNo

                CREATE TABLE #MachineStatus(cMBrnCode NVARCHAR(7),cMBrnName NVARCHAR(100),cYear NVARCHAR(4),nCallNo INT,
                MainStatus varchar(10),Status varchar(10),cSvPrCode NVARCHAR(10),AssignedDate Datetime,
                IsSMS BIT)
                INSERT INTO #MachineStatus
                SELECT a.cMBrnCode,a.cMBrnName,a.cYear,a.nCallNo,b.MainStatus,b.MachineStatus,b.cSvPrCode,b.AssignedDate,b.IsSMS
                FROM #PendingMachineStatus a
                INNER JOIN MachineStatus b ON a.nCallNo=b.nCallNo AND a.Date=b.StatusDate

                select COUNT(*) AS Count,
                CASE d.cSvPrCode
                WHEN '0' THEN NULL
                ELSE d.cSvPrCode
                END cSvPrCode,
                CASE d.AssignedDate
                WHEN '1900-01-01 00:00:00.000' THEN NULL
                ELSE d.AssignedDate
                END AS AssignedDate,
                DAY(d.AssignedDate) AS Day,
                MONTH(d.AssignedDate) AS Month,
                f.cSvPrName
                from SvCallHead a
                INNER JOIN SvMainBrn b on a.cMBrnCode=b.cMBrnCode
                LEFT JOIN SvDelrMast c on a.cDelrCode=c.cDelrCode
                LEFT JOIN #MachineStatus d on a.cYear=d.cYear and a.nCallNo=d.nCallNo
                LEFT JOIN SvSvPrMast f on d.cSvPrCode=f.cSvPrCode
                where a.cYear={0} and d.AssignedDate={1} and a.cCallSuff = 'A' AND a.cCallEnd= 'N'
                AND a.cServType= 'A' AND a.cStatFlg<> 'C' AND f.cSvPrName<>'NULL'
                group by d.cSvPrCode,d.AssignedDate,f.cSvPrName
                order by AssignedDate asc

                drop table #PendingMachineStatus
                drop table #MachineStatus", Request.Cookies["BCookies"]["SessionFinancialYear"], Calendar2.SelectedDate.ToString());

解決方案2
 0  2018-11-14 14:15:54

您可以使用SqlParameter 

  // // The name we are trying to match. // string dogName = "Fido"; // // Use preset string for connection and open it. // string connectionString = ConsoleApplication1.Properties.Settings.Default.ConnectionString; using (SqlConnection connection = new SqlConnection(connectionString)) { connection.Open(); // // Description of SQL command: // 1. It selects all cells from rows matching the name. // 2. It uses LIKE operator because Name is a Text field. // 3. @Name must be added as a new SqlParameter. // using (SqlCommand command = new SqlCommand( "SELECT * FROM Dogs1 WHERE Name LIKE @Name", connection)) { // // Add new SqlParameter to the command. // command.Parameters.Add(new SqlParameter("Name", dogName)); // // Read in the SELECT results. // SqlDataReader reader = command.ExecuteReader(); while (reader.Read()) { int weight = reader.GetInt32(0); string name = reader.GetString(1); string breed = reader.GetString(2); Console.WriteLine("Weight = {0}, Name = {1}, Breed = {2}", weight, name, breed); } } }

該示例中的更多詳細信息: https : //www.dotnetperls.com/sqlparameter

解決方案3
 0  2018-11-14 17:35:19

這是高風險。 SQL注入是OWASP.org在2017年的首要安全風險。

  • 您應該使用以下鏈接創建存儲過程: 創建SP
  • 然后,您應該使用ADO.Net/Entity Framework通過代碼執行存儲過程。 從客戶端到服務器的唯一傳遞是通過SQL參數。 對於ADO,請使用鏈接: 使用ADO調用SP

暫無
暫無

聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.

相關問題 如何將列表作為參數傳遞給.aspx頁中的方法 如何將參數從我的aspx頁面傳遞到Windows應用程序 如何將參數從通用處理程序文件傳遞到ASPX頁面 如何在MVC中啟動新的aspx頁面時傳遞參數 我們如何將值從ASP頁面傳遞到ASPX頁面 在aspx頁面上執行SQL查詢 如何將變量從php頁面傳遞到aspx頁面以及如何將返回值從aspx傳遞到php 如何在頁面加載時將值從用戶控件傳遞到ASPX頁面? 如何將值從處理程序傳遞到ASPX頁面作為響應 aspx頁面參數值創建問題中的“#”
相關標簽
 
粵ICP備18138465號  © 2020-2024 STACKOOM.COM