C# Visual C使用querystring作为参数显示gridview
我一直在做一个项目,让用户选择项目进行比较。我的方法是使用复选框将用户选择的查询字符串发送到新页面compare.aspx。我正在为此compare.aspx使用gridview,下面是代码:C# Visual C使用querystring作为参数显示gridview,c#,asp.net,visual-studio-2008,C#,Asp.net,Visual Studio 2008,我一直在做一个项目,让用户选择项目进行比较。我的方法是使用复选框将用户选择的查询字符串发送到新页面compare.aspx。我正在为此compare.aspx使用gridview,下面是代码: <%@ Page Language="C#" AutoEventWireup="true" CodeBehind="compare.aspx.cs" Inherits="AsiaWebShop.compare" %> <asp:GridView ID="GridView1" r
<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="compare.aspx.cs" Inherits="AsiaWebShop.compare" %>
<asp:GridView ID="GridView1" runat="server" AutoGenerateColumns="False"
DataKeyNames="item_id" DataSourceID="SqlDataSource1">
<Columns>
<asp:BoundField DataField="item_id" HeaderText="item_id" InsertVisible="False"
ReadOnly="True" SortExpression="item_id" />
<asp:BoundField DataField="item_name" HeaderText="item_name"
SortExpression="item_name" />
<asp:BoundField DataField="category" HeaderText="category"
SortExpression="category" />
<asp:BoundField DataField="pic_path" HeaderText="pic_path"
SortExpression="pic_path" />
<asp:BoundField DataField="item_description" HeaderText="item_description"
SortExpression="item_description" />
<asp:BoundField DataField="regular_price" HeaderText="regular_price"
SortExpression="regular_price" />
<asp:BoundField DataField="member_price" HeaderText="member_price"
SortExpression="member_price" />
<asp:BoundField DataField="promo_price" HeaderText="promo_price"
SortExpression="promo_price" />
<asp:BoundField DataField="stock" HeaderText="stock" SortExpression="stock" />
<asp:BoundField DataField="upc" HeaderText="upc" SortExpression="upc" />
</Columns>
</asp:GridView>
<asp:SqlDataSource ID="SqlDataSource1" runat="server"
ConnectionString="<%$ ConnectionStrings:awsdbConnectionString %>"
ProviderName="<%$ ConnectionStrings:awsdbConnectionString.ProviderName %>"
SelectCommand="SELECT * FROM [item] WHERE ([upc] = ?)">
<SelectParameters>
<asp:QueryStringParameter Name="upc" QueryStringField="query" Type="String" />
</SelectParameters>
</asp:SqlDataSource>
</div>
</form>
然而,我在条件表达式错误中得到了一个数据类型不匹配,有人知道为什么吗?很抱歉,我只是asp.net和C的新手,所以请对我放轻松…使用HTTP查询字符串的输入格式编写SQL字符串存在安全风险。这将为你打开通往成功的大门
<asp:GridView ID="GridView1" runat="server" AutoGenerateColumns="False"
DataKeyNames="item_id" DataSourceID="SqlDataSource1">
<Columns>
<asp:BoundField DataField="item_id" HeaderText="item_id" InsertVisible="False"
ReadOnly="True" SortExpression="item_id" />
<asp:BoundField DataField="item_name" HeaderText="item_name"
SortExpression="item_name" />
<asp:BoundField DataField="category" HeaderText="category"
SortExpression="category" />
<asp:BoundField DataField="pic_path" HeaderText="pic_path"
SortExpression="pic_path" />
<asp:BoundField DataField="item_description" HeaderText="item_description"
SortExpression="item_description" />
<asp:BoundField DataField="regular_price" HeaderText="regular_price"
SortExpression="regular_price" />
<asp:BoundField DataField="member_price" HeaderText="member_price"
SortExpression="member_price" />
<asp:BoundField DataField="promo_price" HeaderText="promo_price"
SortExpression="promo_price" />
<asp:BoundField DataField="stock" HeaderText="stock" SortExpression="stock" />
<asp:BoundField DataField="upc" HeaderText="upc" SortExpression="upc" />
</Columns>
</asp:GridView>
<asp:SqlDataSource ID="SqlDataSource1" runat="server"
ConnectionString="<%$ ConnectionStrings:awsdbConnectionString %>"
ProviderName="<%$ ConnectionStrings:awsdbConnectionString.ProviderName %>"
SelectCommand="SELECT * FROM [item] WHERE ([upc] = ?)">
<SelectParameters>
<asp:QueryStringParameter Name="upc" QueryStringField="query" Type="String" />
</SelectParameters>
</asp:SqlDataSource>
</div>
</form>
看起来您的代码在没有任何代码隐藏的情况下可以正常工作。您已经向数据源添加了一个参数,该参数将从查询字符串中捕获所需的值。为此目的使用参数可以防止SQL注入。您可能希望向SQLDataSource声明中的参数添加默认值
<asp:GridView ID="GridView1" runat="server" AutoGenerateColumns="False"
DataKeyNames="item_id" DataSourceID="SqlDataSource1">
<Columns>
<asp:BoundField DataField="item_id" HeaderText="item_id" InsertVisible="False"
ReadOnly="True" SortExpression="item_id" />
<asp:BoundField DataField="item_name" HeaderText="item_name"
SortExpression="item_name" />
<asp:BoundField DataField="category" HeaderText="category"
SortExpression="category" />
<asp:BoundField DataField="pic_path" HeaderText="pic_path"
SortExpression="pic_path" />
<asp:BoundField DataField="item_description" HeaderText="item_description"
SortExpression="item_description" />
<asp:BoundField DataField="regular_price" HeaderText="regular_price"
SortExpression="regular_price" />
<asp:BoundField DataField="member_price" HeaderText="member_price"
SortExpression="member_price" />
<asp:BoundField DataField="promo_price" HeaderText="promo_price"
SortExpression="promo_price" />
<asp:BoundField DataField="stock" HeaderText="stock" SortExpression="stock" />
<asp:BoundField DataField="upc" HeaderText="upc" SortExpression="upc" />
</Columns>
</asp:GridView>
<asp:SqlDataSource ID="SqlDataSource1" runat="server"
ConnectionString="<%$ ConnectionStrings:awsdbConnectionString %>"
ProviderName="<%$ ConnectionStrings:awsdbConnectionString.ProviderName %>"
SelectCommand="SELECT * FROM [item] WHERE ([upc] = ?)">
<SelectParameters>
<asp:QueryStringParameter Name="upc" QueryStringField="query" Type="String" />
</SelectParameters>
</asp:SqlDataSource>
</div>
</form>
我肯定会删除你所有的代码,看看这是否解决了你的问题
<asp:GridView ID="GridView1" runat="server" AutoGenerateColumns="False"
DataKeyNames="item_id" DataSourceID="SqlDataSource1">
<Columns>
<asp:BoundField DataField="item_id" HeaderText="item_id" InsertVisible="False"
ReadOnly="True" SortExpression="item_id" />
<asp:BoundField DataField="item_name" HeaderText="item_name"
SortExpression="item_name" />
<asp:BoundField DataField="category" HeaderText="category"
SortExpression="category" />
<asp:BoundField DataField="pic_path" HeaderText="pic_path"
SortExpression="pic_path" />
<asp:BoundField DataField="item_description" HeaderText="item_description"
SortExpression="item_description" />
<asp:BoundField DataField="regular_price" HeaderText="regular_price"
SortExpression="regular_price" />
<asp:BoundField DataField="member_price" HeaderText="member_price"
SortExpression="member_price" />
<asp:BoundField DataField="promo_price" HeaderText="promo_price"
SortExpression="promo_price" />
<asp:BoundField DataField="stock" HeaderText="stock" SortExpression="stock" />
<asp:BoundField DataField="upc" HeaderText="upc" SortExpression="upc" />
</Columns>
</asp:GridView>
<asp:SqlDataSource ID="SqlDataSource1" runat="server"
ConnectionString="<%$ ConnectionStrings:awsdbConnectionString %>"
ProviderName="<%$ ConnectionStrings:awsdbConnectionString.ProviderName %>"
SelectCommand="SELECT * FROM [item] WHERE ([upc] = ?)">
<SelectParameters>
<asp:QueryStringParameter Name="upc" QueryStringField="query" Type="String" />
</SelectParameters>
</asp:SqlDataSource>
</div>
</form>
编辑:回答原始问题:在条件表达式错误中出现数据类型不匹配的原因是因为数据库中的列upc是字符串类型,可能是varchar。如果要创建一个硬编码的SQL字符串,并与upc列进行比较,那么可以在用于比较的值周围加上单引号,比如SQL查询语法。由于没有包含引号,SQL解释器不会将值识别为字符串
<asp:GridView ID="GridView1" runat="server" AutoGenerateColumns="False"
DataKeyNames="item_id" DataSourceID="SqlDataSource1">
<Columns>
<asp:BoundField DataField="item_id" HeaderText="item_id" InsertVisible="False"
ReadOnly="True" SortExpression="item_id" />
<asp:BoundField DataField="item_name" HeaderText="item_name"
SortExpression="item_name" />
<asp:BoundField DataField="category" HeaderText="category"
SortExpression="category" />
<asp:BoundField DataField="pic_path" HeaderText="pic_path"
SortExpression="pic_path" />
<asp:BoundField DataField="item_description" HeaderText="item_description"
SortExpression="item_description" />
<asp:BoundField DataField="regular_price" HeaderText="regular_price"
SortExpression="regular_price" />
<asp:BoundField DataField="member_price" HeaderText="member_price"
SortExpression="member_price" />
<asp:BoundField DataField="promo_price" HeaderText="promo_price"
SortExpression="promo_price" />
<asp:BoundField DataField="stock" HeaderText="stock" SortExpression="stock" />
<asp:BoundField DataField="upc" HeaderText="upc" SortExpression="upc" />
</Columns>
</asp:GridView>
<asp:SqlDataSource ID="SqlDataSource1" runat="server"
ConnectionString="<%$ ConnectionStrings:awsdbConnectionString %>"
ProviderName="<%$ ConnectionStrings:awsdbConnectionString.ProviderName %>"
SelectCommand="SELECT * FROM [item] WHERE ([upc] = ?)">
<SelectParameters>
<asp:QueryStringParameter Name="upc" QueryStringField="query" Type="String" />
</SelectParameters>
</asp:SqlDataSource>
</div>
</form>
我必须强调,我不建议您在SQL中使用硬编码值。请注意SQL注入的安全风险。Re:使用查询参数组合SQL字符串是一种安全风险,-您想说的是正确的,但措辞令人困惑。SQL参数也是查询参数。非常感谢您提醒我有关安全风险的问题,但由于这只是一个学校项目,我认为暂时可以:您介意在我的代码中具体引用应该包含单引号的地方吗?ASP.net中的单引号是否有特定的语法?我是asp.net的新手,非常感谢您的帮助。最后一次更新,我在这里添加了单引号SelectCommand=SELECT*FROM[item],其中[upc]='?'>代码可以工作,但有一些错误。在compare.aspx中,我只能返回一个项目进行比较…我的原始查询字符串类似于15、23或25,但当我运行程序时,查询字符串被缩减为仅15个,有人知道为什么吗?甚至比较界面中的唯一项目也消失了
<asp:GridView ID="GridView1" runat="server" AutoGenerateColumns="False"
DataKeyNames="item_id" DataSourceID="SqlDataSource1">
<Columns>
<asp:BoundField DataField="item_id" HeaderText="item_id" InsertVisible="False"
ReadOnly="True" SortExpression="item_id" />
<asp:BoundField DataField="item_name" HeaderText="item_name"
SortExpression="item_name" />
<asp:BoundField DataField="category" HeaderText="category"
SortExpression="category" />
<asp:BoundField DataField="pic_path" HeaderText="pic_path"
SortExpression="pic_path" />
<asp:BoundField DataField="item_description" HeaderText="item_description"
SortExpression="item_description" />
<asp:BoundField DataField="regular_price" HeaderText="regular_price"
SortExpression="regular_price" />
<asp:BoundField DataField="member_price" HeaderText="member_price"
SortExpression="member_price" />
<asp:BoundField DataField="promo_price" HeaderText="promo_price"
SortExpression="promo_price" />
<asp:BoundField DataField="stock" HeaderText="stock" SortExpression="stock" />
<asp:BoundField DataField="upc" HeaderText="upc" SortExpression="upc" />
</Columns>
</asp:GridView>
<asp:SqlDataSource ID="SqlDataSource1" runat="server"
ConnectionString="<%$ ConnectionStrings:awsdbConnectionString %>"
ProviderName="<%$ ConnectionStrings:awsdbConnectionString.ProviderName %>"
SelectCommand="SELECT * FROM [item] WHERE ([upc] = ?)">
<SelectParameters>
<asp:QueryStringParameter Name="upc" QueryStringField="query" Type="String" />
</SelectParameters>
</asp:SqlDataSource>
</div>
</form>