Warning: file_get_contents(/data/phpspider/zhask/data//catemap/2/csharp/326.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
C# 不仅按姓氏搜索_C#_Sql - Fatal编程技术网
Fatal编程技术网
  • csharp/
  • C# 不仅按姓氏搜索

C# 不仅按姓氏搜索

c# sql

C# 不仅按姓氏搜索,c#,sql,C#,Sql,在我的web应用程序中,我有一个搜索框,这样我可以使用firstname或lastname搜索我的数据库,它将在我的web应用程序中显示结果。用户输入firstname或lastname。如果按firstname搜索查询正在运行,则正常,但如果用户仅按姓氏搜索,则显示表中的所有数据,而不是按lastname显示的数据 string sql = @"SELECT opd_id AS [OPD No] , opd_date AS DATE , opd_dpt AS DE

在我的web应用程序中,我有一个搜索框,这样我可以使用firstname或lastname搜索我的数据库,它将在我的web应用程序中显示结果。用户输入firstname或lastname。如果按firstname搜索查询正在运行,则正常,但如果用户仅按姓氏搜索,则显示表中的所有数据,而不是按lastname显示的数据

 string sql = @"SELECT opd_id AS [OPD No]
       , opd_date AS DATE
       , opd_dpt AS DEPARTMENT
       , opd_pfname + ' ' + opd_plname AS [Patient NAME]
       , opd_age AS AGE
       , opd_gender AS GENDER
       , opd_mob AS [MOBILE NO]
       , opd_fthrname AS [FATHER NAME]
       , opd_hsbndname AS [HUSBAND NAME]
       FROM tbl_OPD 
        WHERE opd_pfname like'%" + fname + @"%' 
        OR opd_plname like'%" + lname + @"% '
        ORDER BY DATE DESC";
中的额外空白

OR opd_plname like'%" + lname + @"% '
空白^

另外,请注意,您可以使用和参数绑定来修复它,而不会看到更多的代码。它可能是因为您只填充了
fname
lname
变量。假设是这种情况,您可以使用此代码

// this assumes that you have only have 1 input for both the first name and lastname 
// and are storing it in a variable named searchForName
using (var connection = new SqlConnection("YOUR_CONFIGURATION_CONNECTION_STRING"))
{
    using (var command = new SqlCommand("SELECT opd_id AS [OPD No], opd_date AS DATE, opd_dpt AS DEPARTMENT, opd_pfname + ' ' + opd_plname AS [Patient NAME], opd_age AS AGE, opd_gender AS GENDER, opd_mob AS [MOBILE NO], opd_fthrname AS [FATHER NAME], opd_hsbndname AS [HUSBAND NAME] FROM tbl_OPD WHERE (opd_pfname like @p0 OR opd_plname like @p0) ORDER BY DATE DESC", connection))
    {
        command.Parameters.Add(new SqlParameter("@p0", string.Format("%{0}%", searchForName)));

        // rest of your code here E.G., sComm.ExecuteNonQuery();
    }
}
如果您知道两个变量都已填充,请尝试此代码块

using (var connection = new SqlConnection("YOUR_CONFIGURATION_CONNECTION_STRING"))
{
    using (var command = new SqlCommand("SELECT opd_id AS [OPD No], opd_date AS DATE, opd_dpt AS DEPARTMENT, opd_pfname + ' ' + opd_plname AS [Patient NAME], opd_age AS AGE, opd_gender AS GENDER, opd_mob AS [MOBILE NO], opd_fthrname AS [FATHER NAME], opd_hsbndname AS [HUSBAND NAME] FROM tbl_OPD WHERE (opd_pfname like @p0 OR opd_plname like @p1) ORDER BY DATE DESC", connection))
    {
        command.Parameters.Add(new SqlParameter("@p0", string.Format("%{0}%", searchForFirstName)));
        command.Parameters.Add(new SqlParameter("@p1", string.Format("%{0}%", searchForLastName)));

        // rest of your code here E.G., sComm.ExecuteNonQuery();
    }
}
另外,正如其他人所说,这里显示的代码有点不安全,您应该尽一切努力避免Sql注入攻击

opd_pfname到底有什么?有人想玩SQL注入游戏吗?opd_pfname,opd_plname是列名问题是,当'fname'为空时,您接受的是每条记录。'opd_pfname“始终是”like%%”