Warning: file_get_contents(/data/phpspider/zhask/data//catemap/5/sql/76.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
C# 按功能搜索筛选顺序不工作_C#_Sql - Fatal编程技术网
Fatal编程技术网
  • csharp/
  • C# 按功能搜索筛选顺序不工作

C# 按功能搜索筛选顺序不工作

c# sql

C# 按功能搜索筛选顺序不工作,c#,sql,C#,Sql,我正在尝试在以下搜索功能中实现按功能排序: public DataSet SearchTable() { string sql1 = "SELECT * from dbo.Documents1 order by Received_Date"; bool flag = false; if (!txtRef.Text.Equals("")) { if (flag == false)

我正在尝试在以下搜索功能中实现按功能排序:

 public DataSet SearchTable()
    {

        string sql1 = "SELECT * from dbo.Documents1 order by Received_Date";

        bool flag = false;

        if (!txtRef.Text.Equals(""))
        {
            if (flag == false)
            {
                sql1 = sql1 + " where Ref LIKE N'%" + txtRef.Text + "%'";
                flag = true;

            }
            else
            {
                sql1 = sql1 + "  and Ref LIKE N'%" + txtRef.Text + "%'";
            }
        }

        if (!txtSubject.Text.Equals(""))
        {
            if (flag == false)
            {
                sql1 = sql1 + " where Subject LIKE N'%" + txtSubject.Text + "%'";
                flag = true;

            }
            else
            {
                sql1 = sql1 + "  and Subject LIKE N'%" + txtSubject.Text + "%'";
            }
        }
我得到以下错误:

Incorrect syntax near the keyword 'where'.
知道怎么修吗?提前谢谢

您是在Where之前订购的。这不是正确的SQL语法

请尝试以下方法:

public DataSet SearchTable()
    {

        string sql1 = "SELECT * from dbo.Documents1";

        bool flag = false;

        if (!txtRef.Text.Equals(""))
        {
            if (flag == false)
            {
                sql1 = sql1 + " where Ref LIKE N'%" + txtRef.Text + "%'";
                flag = true;

            }
            else
            {
                sql1 = sql1 + "  and Ref LIKE N'%" + txtRef.Text + "%'";
            }
        }

        if (!txtSubject.Text.Equals(""))
        {
            if (flag == false)
            {
                sql1 = sql1 + " where Subject LIKE N'%" + txtSubject.Text + "%'";
                flag = true;

            }
            else
            {
                sql1 = sql1 + "  and Subject LIKE N'%" + txtSubject.Text + "%'";
            }
        }

        sql1 = sql1 + "  order by Received_Date";
我创建了一个单独的方法来返回SQL查询。 “orderby”子句在返回查询之前被取出并追加。 还从第一个块中删除了“else”条件,因为它总是为真

public string GetSQL()
        {

            string sql1 = "SELECT * from dbo.Documents1";

            bool flag = false;

            if (!txtRef.Text.Equals(""))
            {
                sql1 = sql1 + " where Ref LIKE N'%" + txtRef.Text + "%'";
                flag = true;
            }

            if (!txtSubject.Text.Equals(""))
            {
                if (flag == false)
                {
                    sql1 = sql1 + " where Subject LIKE N'%" + txtSubject.Text + "%'";
                    flag = true;

                }
                else
                {
                    sql1 = sql1 + "  and Subject LIKE N'%" + txtSubject.Text + "%'";
                }
            }

            sql1 = sql1 + " order by Received_Date";

            return sql1;
        }
您拥有的代码易受攻击

为了避免在可能的情况下使用。然后,代码可能如下所示:

    public DataSet SearchTable()
    {
        string sqlStatement = "SELECT * from dbo.Documents1";
        bool flag = false;

        var reference = "something"; // txtRef.Text
        var subject = "something else"; // txtSubject.Text

        var sqlCommand = new SqlCommand();

        if (!string.IsNullOrWhiteSpace(reference))
        {
            var referenceParameter = new SqlParameter("@referenceParam", SqlDbType.VarChar, 100) { Value = reference };
            sqlCommand.Parameters.Add(referenceParameter);
            sqlStatement += AddWhereLike("Ref", "@referenceParam", flag);
            flag = true;
        }

        if (!string.IsNullOrWhiteSpace(subject))
        {
            var subjectParameter = new SqlParameter("@subjectParam", SqlDbType.VarChar, 100) { Value = reference };
            sqlCommand.Parameters.Add(subjectParameter);
            sqlStatement += AddWhereLike("Subject", "@subjectParam", flag);
            flag = true;
        }

        sqlStatement += " order by Received_Date";

        sqlCommand.CommandText = sqlStatement;

        // do your database reading here
    }

    private static string AddWhereLike(string columnName, string paramId, bool isFirstWhereCondition)
    {
        var whereCondition = isFirstWhereCondition ? " where " : " and " + columnName + "LIKE N'%" + paramId + "%' ";
        return whereCondition;
    }
顺便说一句,你可以用string.IsNullOrEmpty检查空字符串,这是我还是SQL注入。。。有人吗?与所有这些重复的标志检查不同,您可以建立一个条件列表作为单独的字符串,然后(一旦它们全部完成)
string。使用
“和“
作为分隔符和前缀a
”将它们连接起来,其中“
”。您可能还希望同时研究如何使用参数。