C# 按功能搜索筛选顺序不工作
我正在尝试在以下搜索功能中实现按功能排序:C# 按功能搜索筛选顺序不工作,c#,sql,C#,Sql,我正在尝试在以下搜索功能中实现按功能排序: public DataSet SearchTable() { string sql1 = "SELECT * from dbo.Documents1 order by Received_Date"; bool flag = false; if (!txtRef.Text.Equals("")) { if (flag == false)
public DataSet SearchTable()
{
string sql1 = "SELECT * from dbo.Documents1 order by Received_Date";
bool flag = false;
if (!txtRef.Text.Equals(""))
{
if (flag == false)
{
sql1 = sql1 + " where Ref LIKE N'%" + txtRef.Text + "%'";
flag = true;
}
else
{
sql1 = sql1 + " and Ref LIKE N'%" + txtRef.Text + "%'";
}
}
if (!txtSubject.Text.Equals(""))
{
if (flag == false)
{
sql1 = sql1 + " where Subject LIKE N'%" + txtSubject.Text + "%'";
flag = true;
}
else
{
sql1 = sql1 + " and Subject LIKE N'%" + txtSubject.Text + "%'";
}
}
我得到以下错误:
Incorrect syntax near the keyword 'where'.
知道怎么修吗?提前谢谢 您是在Where之前订购的。这不是正确的SQL语法 请尝试以下方法:
public DataSet SearchTable()
{
string sql1 = "SELECT * from dbo.Documents1";
bool flag = false;
if (!txtRef.Text.Equals(""))
{
if (flag == false)
{
sql1 = sql1 + " where Ref LIKE N'%" + txtRef.Text + "%'";
flag = true;
}
else
{
sql1 = sql1 + " and Ref LIKE N'%" + txtRef.Text + "%'";
}
}
if (!txtSubject.Text.Equals(""))
{
if (flag == false)
{
sql1 = sql1 + " where Subject LIKE N'%" + txtSubject.Text + "%'";
flag = true;
}
else
{
sql1 = sql1 + " and Subject LIKE N'%" + txtSubject.Text + "%'";
}
}
sql1 = sql1 + " order by Received_Date";
我创建了一个单独的方法来返回SQL查询。 “orderby”子句在返回查询之前被取出并追加。 还从第一个块中删除了“else”条件,因为它总是为真
public string GetSQL()
{
string sql1 = "SELECT * from dbo.Documents1";
bool flag = false;
if (!txtRef.Text.Equals(""))
{
sql1 = sql1 + " where Ref LIKE N'%" + txtRef.Text + "%'";
flag = true;
}
if (!txtSubject.Text.Equals(""))
{
if (flag == false)
{
sql1 = sql1 + " where Subject LIKE N'%" + txtSubject.Text + "%'";
flag = true;
}
else
{
sql1 = sql1 + " and Subject LIKE N'%" + txtSubject.Text + "%'";
}
}
sql1 = sql1 + " order by Received_Date";
return sql1;
}
您拥有的代码易受攻击 为了避免在可能的情况下使用。然后,代码可能如下所示:
public DataSet SearchTable()
{
string sqlStatement = "SELECT * from dbo.Documents1";
bool flag = false;
var reference = "something"; // txtRef.Text
var subject = "something else"; // txtSubject.Text
var sqlCommand = new SqlCommand();
if (!string.IsNullOrWhiteSpace(reference))
{
var referenceParameter = new SqlParameter("@referenceParam", SqlDbType.VarChar, 100) { Value = reference };
sqlCommand.Parameters.Add(referenceParameter);
sqlStatement += AddWhereLike("Ref", "@referenceParam", flag);
flag = true;
}
if (!string.IsNullOrWhiteSpace(subject))
{
var subjectParameter = new SqlParameter("@subjectParam", SqlDbType.VarChar, 100) { Value = reference };
sqlCommand.Parameters.Add(subjectParameter);
sqlStatement += AddWhereLike("Subject", "@subjectParam", flag);
flag = true;
}
sqlStatement += " order by Received_Date";
sqlCommand.CommandText = sqlStatement;
// do your database reading here
}
private static string AddWhereLike(string columnName, string paramId, bool isFirstWhereCondition)
{
var whereCondition = isFirstWhereCondition ? " where " : " and " + columnName + "LIKE N'%" + paramId + "%' ";
return whereCondition;
}
顺便说一句,你可以用string.IsNullOrEmpty检查空字符串,这是我还是SQL注入。。。有人吗?与所有这些重复的标志检查不同,您可以建立一个条件列表作为单独的字符串,然后(一旦它们全部完成)
string。使用“和“
作为分隔符和前缀a”将它们连接起来,其中“
”。您可能还希望同时研究如何使用参数。