C# Asp.net中的SQL连接查询
我正在使用Asp.net中的联接查询联接5个表。当我单击GridView行时,它会给出该行的id,并使用sql连接将GridView绑定到另一个页面上。但是,当单击任何网格视图行时,它将通过correct id,但sql连接查询中的所有字段都显示为null。 这是我的.aspx页面C# Asp.net中的SQL连接查询,c#,asp.net,sql-server,gridview,C#,Asp.net,Sql Server,Gridview,我正在使用Asp.net中的联接查询联接5个表。当我单击GridView行时,它会给出该行的id,并使用sql连接将GridView绑定到另一个页面上。但是,当单击任何网格视图行时,它将通过correct id,但sql连接查询中的所有字段都显示为null。 这是我的.aspx页面 <asp:GridView ID="GrdUni" runat="server" AutoGenerateColumns="False" DataKeyNames="u_id" DataSourceID="Un
<asp:GridView ID="GrdUni" runat="server" AutoGenerateColumns="False" DataKeyNames="u_id" DataSourceID="UniversityInfo">
<Columns>
<asp:BoundField DataField="u_id" HeaderText="u_id" ReadOnly="True" SortExpression="u_id" HtmlEncode="false" DataFormatString="<a target='_blank' href='Details.aspx?u_id={0}'>u_id</a>" />
<asp:BoundField DataField="uni_name" HeaderText="uni_name" SortExpression="uni_name" />
<asp:BoundField DataField="Type" HeaderText="Type" SortExpression="Type" />
<asp:BoundField DataField="location" HeaderText="location" SortExpression="location" />
<asp:BoundField DataField="specialization" HeaderText="specialization" SortExpression="specialization" />
<asp:BoundField DataField="VC" HeaderText="VC" SortExpression="VC" />
<asp:BoundField DataField="contact" HeaderText="contact" SortExpression="contact" />
</Columns>
</asp:GridView>
public DataTable JoinTables(int UniID)
{
try
{
return DAL.Get("select '"
+ facM.f_name + "' , '"
+ departM.depart_name + "' , '"
+ ProgM.p_name + "' ,'"
+ ProgM.Eligible_criteria + "','"
+ ProgM.seats_allocated
+ "' from dbo.University JOIN dbo.faculties ON "
+ facM.u_id + " = " + UniID
+ " JOIN dbo.departments ON " + departM.f_id + " = " + facM.f_id
+ " JOIN dbo.programs ON " + ProgM.d_id + " = " + departM.d_id + " ");
}
catch (Exception exc)
{
throw exc;
}
}
}
我的问题是联接查询中的每个字段都传递null值而不是UniID。我认为必须重写JoinTables方法。这是我们应该如何看待的唯一例子
public DataTable JoinTables(int uniId)
{
using (SqlDataAdapter adapter = new SqlDataAdapter() )
{
using (SqlCommand dbCommand = new SqlCommand())
{
DataTable table = new DataTable("University");
try
{
dbCommand.CommandType = CommandType.Text;
dbCommand.CommandText = @"SELECT u.column1, t2.column2 FROM University u, table t2 WHERE t1.coulmn1 = t2.column2 and u.unitid = @UnitId";
dbCommand.Parameters.AddWithValue("@UnitId", uniId);
adapter.SelectCommand = dbCommand;
adapter.SelectCommand.Connection = GetConnection();
adapter.Fill(table);
}
finally
{
dbCommand.Parameters.Clear();
if (null != dbCommand.Connection)
{
if (dbCommand.Connection.State != System.Data.ConnectionState.Closed)
dbCommand.Connection.Close();
dbCommand.Connection = null;
}
}
return table;
}
}
}
public SqlConnection GetConnection()
{
SqlConnection connection = new SqlConnection(_connectionString);
connection.Open();
return connection;
}
网格中的列名与查询不匹配
<Columns>
<asp:BoundField DataField="u_id" HeaderText="u_id" ReadOnly="True" SortExpression="u_id" HtmlEncode="false" DataFormatString="<a target='_blank' href='Details.aspx?u_id={0}'>u_id</a>" />
<asp:BoundField DataField="uni_name" HeaderText="uni_name" SortExpression="uni_name" />
<asp:BoundField DataField="Type" HeaderText="Type" SortExpression="Type" />
<asp:BoundField DataField="location" HeaderText="location" SortExpression="location" />
<asp:BoundField DataField="specialization" HeaderText="specialization" SortExpression="specialization" />
<asp:BoundField DataField="VC" HeaderText="VC" SortExpression="VC" />
<asp:BoundField DataField="contact" HeaderText="contact" SortExpression="contact" />
</Columns>
此外,正如评论中提到的,代码确实需要修改以防止出现错误。我同意其他评论:明智的做法是使用ORM工具,例如Entity Framework、NHibernate、OrmLite等,或者至少使用@Joro所示的参数化查询,以帮助您更好地创建此SQL 但除此之外,你对最初加入的大学和学院有问题。基本上,您没有以任何方式使用University表:它不是join的一部分,也不是select或where子句的一部分。您还将C和SQL与连接混合在一起。我想你想要这样的东西:
return DAL.Get(@"select facM.f_name,
departM.depart_name,
ProgM.p_name,
ProgM.Eligible_criteria,
ProgM.seats_allocated
from dbo.faculties facM
JOIN dbo.departments departM ON departM.f_id = facM.f_id
JOIN dbo.programs ProgM ON ProgM.d_id departM.d_id
WHERE facM.u_id = " + UniID;
由于UniId已被类型化为整数,因此可以安全地防止SQL注入攻击。但是,如果您出于某种原因将类型更改为字符串,那么它将受到攻击。首先,sql中的串联会导致sql注入攻击。但为什么要在select语句中硬编码字段值呢?我总是像上面那样工作,但我以前从未使用过join查询。我已经更新、删除、编辑和插入了很多类似于上面的值。我相信你有,我相信你的代码很容易被攻击。这是一种非常糟糕的做法。我的建议是,使用您试图连接的sql字符串,并尝试在ManagementStudio中运行它。您正在尝试根据值而不是列进行联接。上述查询在sql management studio中运行良好
<Columns>
<asp:BoundField DataField="u_id" HeaderText="u_id" ReadOnly="True" SortExpression="u_id" HtmlEncode="false" DataFormatString="<a target='_blank' href='Details.aspx?u_id={0}'>u_id</a>" />
<asp:BoundField DataField="uni_name" HeaderText="uni_name" SortExpression="uni_name" />
<asp:BoundField DataField="Type" HeaderText="Type" SortExpression="Type" />
<asp:BoundField DataField="location" HeaderText="location" SortExpression="location" />
<asp:BoundField DataField="specialization" HeaderText="specialization" SortExpression="specialization" />
<asp:BoundField DataField="VC" HeaderText="VC" SortExpression="VC" />
<asp:BoundField DataField="contact" HeaderText="contact" SortExpression="contact" />
</Columns>
"select '"
+ facM.f_name + "' , '"
+ departM.depart_name + "' , '"
+ ProgM.p_name + "' ,'"
+ ProgM.Eligible_criteria + "','"
+ ProgM.seats_allocated
return DAL.Get(@"select facM.f_name,
departM.depart_name,
ProgM.p_name,
ProgM.Eligible_criteria,
ProgM.seats_allocated
from dbo.faculties facM
JOIN dbo.departments departM ON departM.f_id = facM.f_id
JOIN dbo.programs ProgM ON ProgM.d_id departM.d_id
WHERE facM.u_id = " + UniID;