C# 在oledb命令中使用变量
在c#中使用oledb命令函数进行sql查询时,连接变量的正确方法是什么。要应用一些上下文,我试图使列表框显示的内容依赖于在上一个列表框上所做的另一个选择。这是我尝试过的,但不起作用C# 在oledb命令中使用变量,c#,sql,concatenation,oledb,C#,Sql,Concatenation,Oledb,在c#中使用oledb命令函数进行sql查询时,连接变量的正确方法是什么。要应用一些上下文,我试图使列表框显示的内容依赖于在上一个列表框上所做的另一个选择。这是我尝试过的,但不起作用 OleDbCommand projects = new OleDbCommand("SELECT * FROM Client_projects WHERE clients = " + (listBox1.SelectedItem.ToString()) , conn); OleDbDataReader
OleDbCommand projects = new OleDbCommand("SELECT * FROM Client_projects
WHERE clients = " + (listBox1.SelectedItem.ToString()) , conn);
OleDbDataReader project = projects.ExecuteReader();
while (project.Read())
{
// Add items from the query into the listbox
listBox2.Items.Add(project[1].ToString());
}
字符串连接可能会导致SQL注入问题,因此不应使用它来构建SQL。您应该参数化您的查询。所以像这样的事情
using (OleDbCommand projects = new OleDbCommand("SELECT * FROM Client_projects WHERE clients = ?", conn))
{
projects.Parameters.Add("?", OleDbType.VarChar).Value = listBox1.SelectedItem.ToString();
OleDbDataReader project = projects.ExecuteReader();
while (project.Read())
{
listBox2.Items.Add(project[1].ToString());
}
}
using (OleDbCommand projects = new OleDbCommand("SELECT * FROM Client_projects WHERE clients = ? AND Date = ?", conn))
{
projects.Parameters.Add("?", OleDbType.VarChar).Value = listBox1.SelectedItem.ToString();
projects.Parameters.Add("?", OleDbType.Date).Value = DateTime.Today;
OleDbDataReader project = projects.ExecuteReader();
while (project.Read())
{
listBox2.Items.Add(project[1].ToString());
}
}
SELECT * FROM Client_projects WHERE clients = @Clients
projects.Parameters.Add("@Clients", SqlDbType.VarChar).Value = listBox1.SelectedItem.ToString();
正确的方法是传入一个带有值的参数。客户端是varchar吗?然后使用
WHERE clients='”+(listBox1.SelectedItem.ToString())+“'“项目[1]项目[0]