Sql Like and=运算符在信号查询中未协同工作
我正在使用sap.net web表单。在这个web表单中,我有一个文本和一个按钮。用户输入姓名或id并点击搜索按钮。使用id搜索正常,但使用名称搜索无效。 我缺少的东西请帮我解决。Sql Like and=运算符在信号查询中未协同工作,sql,asp.net,search,Sql,Asp.net,Search,我正在使用sap.net web表单。在这个web表单中,我有一个文本和一个按钮。用户输入姓名或id并点击搜索按钮。使用id搜索正常,但使用名称搜索无效。 我缺少的东西请帮我解决。 String Status = "Active"; String BDstring = ConfigurationManager.ConnectionStrings["CS"].ConnectionString; using (SqlConnection conn = new S
String Status = "Active";
String BDstring = ConfigurationManager.ConnectionStrings["CS"].ConnectionString;
using (SqlConnection conn = new SqlConnection(BDstring))
{
try
{
String query = "SELECT * from Driver where(Name LIKE '%' + @search + '%' OR DriverID = @search) AND Status = 'Active'";
SqlCommand cmd = new SqlCommand(query, conn);
cmd.Parameters.AddWithValue("@search", SearchTextBox.Text);
conn.Open();
SqlDataReader SDR = cmd.ExecuteReader();
DataTable DT = new DataTable();
if (SDR.HasRows)
{
DT.Load(SDR);
GridView.DataSource = DT;
GridView.DataBind();
}
}
catch (SqlException exe)
{
throw exe;
}
}
}
从名为“%+@search+%”的驱动程序中选择* 或DriverID='+@search+'和Status='Active'
String Status = "Active";
String BDstring = ConfigurationManager.ConnectionStrings["CS"].ConnectionString;
using (SqlConnection conn = new SqlConnection(BDstring))
{
try
{
String query = "SELECT * from Driver where(Name LIKE '%' + @search + '%' OR DriverID = @search) AND Status = 'Active'";
SqlCommand cmd = new SqlCommand(query, conn);
cmd.Parameters.AddWithValue("@search", SearchTextBox.Text);
conn.Open();
SqlDataReader SDR = cmd.ExecuteReader();
DataTable DT = new DataTable();
if (SDR.HasRows)
{
DT.Load(SDR);
GridView.DataSource = DT;
GridView.DataBind();
}
}
catch (SqlException exe)
{
throw exe;
}
}
}
这个怎么样?从驱动程序中选择*名称,如“%+@search+%”
String Status = "Active";
String BDstring = ConfigurationManager.ConnectionStrings["CS"].ConnectionString;
using (SqlConnection conn = new SqlConnection(BDstring))
{
try
{
String query = "SELECT * from Driver where(Name LIKE '%' + @search + '%' OR DriverID = @search) AND Status = 'Active'";
SqlCommand cmd = new SqlCommand(query, conn);
cmd.Parameters.AddWithValue("@search", SearchTextBox.Text);
conn.Open();
SqlDataReader SDR = cmd.ExecuteReader();
DataTable DT = new DataTable();
if (SDR.HasRows)
{
DT.Load(SDR);
GridView.DataSource = DT;
GridView.DataBind();
}
}
catch (SqlException exe)
{
throw exe;
}
}
}
或DriverID='+@search+'和Status='Active'
String Status = "Active";
String BDstring = ConfigurationManager.ConnectionStrings["CS"].ConnectionString;
using (SqlConnection conn = new SqlConnection(BDstring))
{
try
{
String query = "SELECT * from Driver where(Name LIKE '%' + @search + '%' OR DriverID = @search) AND Status = 'Active'";
SqlCommand cmd = new SqlCommand(query, conn);
cmd.Parameters.AddWithValue("@search", SearchTextBox.Text);
conn.Open();
SqlDataReader SDR = cmd.ExecuteReader();
DataTable DT = new DataTable();
if (SDR.HasRows)
{
DT.Load(SDR);
GridView.DataSource = DT;
GridView.DataBind();
}
}
catch (SqlException exe)
{
throw exe;
}
}
}
这个怎么样?代码正在生成一个异常。您没有意识到这一点,这表明您在系统中的某个地方进行了错误处理,实际上是错误隐藏。删除空的catch块,或无意义的catch块,例如您的问题中只销毁异常中的某些信息并重新抛出它的catch块。那些对你没有帮助
String Status = "Active";
String BDstring = ConfigurationManager.ConnectionStrings["CS"].ConnectionString;
using (SqlConnection conn = new SqlConnection(BDstring))
{
try
{
String query = "SELECT * from Driver where(Name LIKE '%' + @search + '%' OR DriverID = @search) AND Status = 'Active'";
SqlCommand cmd = new SqlCommand(query, conn);
cmd.Parameters.AddWithValue("@search", SearchTextBox.Text);
conn.Open();
SqlDataReader SDR = cmd.ExecuteReader();
DataTable DT = new DataTable();
if (SDR.HasRows)
{
DT.Load(SDR);
GridView.DataSource = DT;
GridView.DataBind();
}
}
catch (SqlException exe)
{
throw exe;
}
}
}
实际的问题是DriverID列是int,而您的参数是varchar。只要varchar包含一个可以转换为数字的字符串,该数字是转换发生的方向,那么查询就是格式良好的
String Status = "Active";
String BDstring = ConfigurationManager.ConnectionStrings["CS"].ConnectionString;
using (SqlConnection conn = new SqlConnection(BDstring))
{
try
{
String query = "SELECT * from Driver where(Name LIKE '%' + @search + '%' OR DriverID = @search) AND Status = 'Active'";
SqlCommand cmd = new SqlCommand(query, conn);
cmd.Parameters.AddWithValue("@search", SearchTextBox.Text);
conn.Open();
SqlDataReader SDR = cmd.ExecuteReader();
DataTable DT = new DataTable();
if (SDR.HasRows)
{
DT.Load(SDR);
GridView.DataSource = DT;
GridView.DataBind();
}
}
catch (SqlException exe)
{
throw exe;
}
}
}
一旦参数包含无法隐式转换为数字的字符串,SQL Server就会生成一个错误,.NET会将其转化为异常
String Status = "Active";
String BDstring = ConfigurationManager.ConnectionStrings["CS"].ConnectionString;
using (SqlConnection conn = new SqlConnection(BDstring))
{
try
{
String query = "SELECT * from Driver where(Name LIKE '%' + @search + '%' OR DriverID = @search) AND Status = 'Active'";
SqlCommand cmd = new SqlCommand(query, conn);
cmd.Parameters.AddWithValue("@search", SearchTextBox.Text);
conn.Open();
SqlDataReader SDR = cmd.ExecuteReader();
DataTable DT = new DataTable();
if (SDR.HasRows)
{
DT.Load(SDR);
GridView.DataSource = DT;
GridView.DataBind();
}
}
catch (SqlException exe)
{
throw exe;
}
}
}
对于LIKE变量,您强制以相反的方向numeric->varchar进行转换,因为LIKE只对字符串进行操作。这种转换总是会成功的,但这意味着您执行的是文本比较,而不是数字比较,也意味着这里不可能使用索引
String Status = "Active";
String BDstring = ConfigurationManager.ConnectionStrings["CS"].ConnectionString;
using (SqlConnection conn = new SqlConnection(BDstring))
{
try
{
String query = "SELECT * from Driver where(Name LIKE '%' + @search + '%' OR DriverID = @search) AND Status = 'Active'";
SqlCommand cmd = new SqlCommand(query, conn);
cmd.Parameters.AddWithValue("@search", SearchTextBox.Text);
conn.Open();
SqlDataReader SDR = cmd.ExecuteReader();
DataTable DT = new DataTable();
if (SDR.HasRows)
{
DT.Load(SDR);
GridView.DataSource = DT;
GridView.DataBind();
}
}
catch (SqlException exe)
{
throw exe;
}
}
}
我建议您更改C代码,尝试在输入文本上使用int.TryParse,然后使用两个单独的参数传递字符串,并可以选择将其等效数字传递给SQL Server。然后在查询中为每个比较使用适当的参数
String Status = "Active";
String BDstring = ConfigurationManager.ConnectionStrings["CS"].ConnectionString;
using (SqlConnection conn = new SqlConnection(BDstring))
{
try
{
String query = "SELECT * from Driver where(Name LIKE '%' + @search + '%' OR DriverID = @search) AND Status = 'Active'";
SqlCommand cmd = new SqlCommand(query, conn);
cmd.Parameters.AddWithValue("@search", SearchTextBox.Text);
conn.Open();
SqlDataReader SDR = cmd.ExecuteReader();
DataTable DT = new DataTable();
if (SDR.HasRows)
{
DT.Load(SDR);
GridView.DataSource = DT;
GridView.DataBind();
}
}
catch (SqlException exe)
{
throw exe;
}
}
}
比如:
String Status = "Active";
String BDstring = ConfigurationManager.ConnectionStrings["CS"].ConnectionString;
using (SqlConnection conn = new SqlConnection(BDstring))
{
try
{
String query = "SELECT * from Driver where(Name LIKE '%' + @search + '%' OR DriverID = @search) AND Status = 'Active'";
SqlCommand cmd = new SqlCommand(query, conn);
cmd.Parameters.AddWithValue("@search", SearchTextBox.Text);
conn.Open();
SqlDataReader SDR = cmd.ExecuteReader();
DataTable DT = new DataTable();
if (SDR.HasRows)
{
DT.Load(SDR);
GridView.DataSource = DT;
GridView.DataBind();
}
}
catch (SqlException exe)
{
throw exe;
}
}
}
String Status = "Active";
String BDstring = ConfigurationManager.ConnectionStrings["CS"].ConnectionString;
using (SqlConnection conn = new SqlConnection(BDstring))
{
String query = "SELECT * from Driver where(Name LIKE '%' + @search + '%' OR " +
"DriverID = @driverId) AND Status = 'Active'";
SqlCommand cmd = new SqlCommand(query, conn);
cmd.Parameters.Add("@search", SqlDbType.VarChar,50).Value = SearchTextBox.Text;
cmd.Parameters.Add("@driverId", SqlDbType.Int);
int driverId;
if(int.TryParse(SearchTextBox.Text, out driverId))
{
cmd.Parameters["@driverId"].Value = driverId;
}
conn.Open();
SqlDataReader SDR = cmd.ExecuteReader();
DataTable DT = new DataTable();
if (SDR.HasRows)
{
DT.Load(SDR);
GridView.DataSource = DT;
GridView.DataBind();
}
}
代码正在生成一个异常。您没有意识到这一点,这表明您在系统中的某个地方进行了错误处理,实际上是错误隐藏。删除空的catch块,或无意义的catch块,例如您的问题中只销毁异常中的某些信息并重新抛出它的catch块。那些对你没有帮助
String Status = "Active";
String BDstring = ConfigurationManager.ConnectionStrings["CS"].ConnectionString;
using (SqlConnection conn = new SqlConnection(BDstring))
{
try
{
String query = "SELECT * from Driver where(Name LIKE '%' + @search + '%' OR DriverID = @search) AND Status = 'Active'";
SqlCommand cmd = new SqlCommand(query, conn);
cmd.Parameters.AddWithValue("@search", SearchTextBox.Text);
conn.Open();
SqlDataReader SDR = cmd.ExecuteReader();
DataTable DT = new DataTable();
if (SDR.HasRows)
{
DT.Load(SDR);
GridView.DataSource = DT;
GridView.DataBind();
}
}
catch (SqlException exe)
{
throw exe;
}
}
}
实际的问题是DriverID列是int,而您的参数是varchar。只要varchar包含一个可以转换为数字的字符串,该数字是转换发生的方向,那么查询就是格式良好的
String Status = "Active";
String BDstring = ConfigurationManager.ConnectionStrings["CS"].ConnectionString;
using (SqlConnection conn = new SqlConnection(BDstring))
{
try
{
String query = "SELECT * from Driver where(Name LIKE '%' + @search + '%' OR DriverID = @search) AND Status = 'Active'";
SqlCommand cmd = new SqlCommand(query, conn);
cmd.Parameters.AddWithValue("@search", SearchTextBox.Text);
conn.Open();
SqlDataReader SDR = cmd.ExecuteReader();
DataTable DT = new DataTable();
if (SDR.HasRows)
{
DT.Load(SDR);
GridView.DataSource = DT;
GridView.DataBind();
}
}
catch (SqlException exe)
{
throw exe;
}
}
}
一旦参数包含无法隐式转换为数字的字符串,SQL Server就会生成一个错误,.NET会将其转化为异常
String Status = "Active";
String BDstring = ConfigurationManager.ConnectionStrings["CS"].ConnectionString;
using (SqlConnection conn = new SqlConnection(BDstring))
{
try
{
String query = "SELECT * from Driver where(Name LIKE '%' + @search + '%' OR DriverID = @search) AND Status = 'Active'";
SqlCommand cmd = new SqlCommand(query, conn);
cmd.Parameters.AddWithValue("@search", SearchTextBox.Text);
conn.Open();
SqlDataReader SDR = cmd.ExecuteReader();
DataTable DT = new DataTable();
if (SDR.HasRows)
{
DT.Load(SDR);
GridView.DataSource = DT;
GridView.DataBind();
}
}
catch (SqlException exe)
{
throw exe;
}
}
}
对于LIKE变量,您强制以相反的方向numeric->varchar进行转换,因为LIKE只对字符串进行操作。这种转换总是会成功的,但这意味着您执行的是文本比较,而不是数字比较,也意味着这里不可能使用索引
String Status = "Active";
String BDstring = ConfigurationManager.ConnectionStrings["CS"].ConnectionString;
using (SqlConnection conn = new SqlConnection(BDstring))
{
try
{
String query = "SELECT * from Driver where(Name LIKE '%' + @search + '%' OR DriverID = @search) AND Status = 'Active'";
SqlCommand cmd = new SqlCommand(query, conn);
cmd.Parameters.AddWithValue("@search", SearchTextBox.Text);
conn.Open();
SqlDataReader SDR = cmd.ExecuteReader();
DataTable DT = new DataTable();
if (SDR.HasRows)
{
DT.Load(SDR);
GridView.DataSource = DT;
GridView.DataBind();
}
}
catch (SqlException exe)
{
throw exe;
}
}
}
我建议您更改C代码,尝试在输入文本上使用int.TryParse,然后使用两个单独的参数传递字符串,并可以选择将其等效数字传递给SQL Server。然后在查询中为每个比较使用适当的参数
String Status = "Active";
String BDstring = ConfigurationManager.ConnectionStrings["CS"].ConnectionString;
using (SqlConnection conn = new SqlConnection(BDstring))
{
try
{
String query = "SELECT * from Driver where(Name LIKE '%' + @search + '%' OR DriverID = @search) AND Status = 'Active'";
SqlCommand cmd = new SqlCommand(query, conn);
cmd.Parameters.AddWithValue("@search", SearchTextBox.Text);
conn.Open();
SqlDataReader SDR = cmd.ExecuteReader();
DataTable DT = new DataTable();
if (SDR.HasRows)
{
DT.Load(SDR);
GridView.DataSource = DT;
GridView.DataBind();
}
}
catch (SqlException exe)
{
throw exe;
}
}
}
比如:
String Status = "Active";
String BDstring = ConfigurationManager.ConnectionStrings["CS"].ConnectionString;
using (SqlConnection conn = new SqlConnection(BDstring))
{
try
{
String query = "SELECT * from Driver where(Name LIKE '%' + @search + '%' OR DriverID = @search) AND Status = 'Active'";
SqlCommand cmd = new SqlCommand(query, conn);
cmd.Parameters.AddWithValue("@search", SearchTextBox.Text);
conn.Open();
SqlDataReader SDR = cmd.ExecuteReader();
DataTable DT = new DataTable();
if (SDR.HasRows)
{
DT.Load(SDR);
GridView.DataSource = DT;
GridView.DataBind();
}
}
catch (SqlException exe)
{
throw exe;
}
}
}
String Status = "Active";
String BDstring = ConfigurationManager.ConnectionStrings["CS"].ConnectionString;
using (SqlConnection conn = new SqlConnection(BDstring))
{
String query = "SELECT * from Driver where(Name LIKE '%' + @search + '%' OR " +
"DriverID = @driverId) AND Status = 'Active'";
SqlCommand cmd = new SqlCommand(query, conn);
cmd.Parameters.Add("@search", SqlDbType.VarChar,50).Value = SearchTextBox.Text;
cmd.Parameters.Add("@driverId", SqlDbType.Int);
int driverId;
if(int.TryParse(SearchTextBox.Text, out driverId))
{
cmd.Parameters["@driverId"].Value = driverId;
}
conn.Open();
SqlDataReader SDR = cmd.ExecuteReader();
DataTable DT = new DataTable();
if (SDR.HasRows)
{
DT.Load(SDR);
GridView.DataSource = DT;
GridView.DataBind();
}
}
你怎么知道它坏了?因为我测试过了。发生了什么?您是否会抛出异常,可能是抱怨无法将varchar转换为int?当我像每个where一样使用时,它的工作正常,也没有异常出现。您如何知道它不工作?因为我测试了它。发生了什么?您是否会引发异常,也许是抱怨无法将varchar转换为int?当我像每个where一样使用时,它的工作很好,也没有异常thrownno它说名称搜索在此上下文中不存在您已将SQL变量移到查询字符串之外,因此它无法编译这似乎是在给代码添加SQL注入漏洞这是以前没有的。不推荐。在发送查询之前,我认为可以通过输入文本验证来抵御SQL注入。不,它说此上下文中不存在名称搜索。您已将SQL变量移到查询字符串之外,因此它不会编译。这可能会向以前没有的代码添加SQL注入漏洞。不太推荐。在发送查询之前,我认为可以通过输入文本验证来防止SQL注入。我现在将驱动程序id转换为int,这会引发一个错误,字符串I不正确format@fahad-我试图更新示例代码,但显然无法亲自编译和调试,因为它不完整。不确定您更改了什么,但要非常清楚到处都涉及哪些数据类型,并确保类型匹配-尽量防止发生任何隐式转换。一旦你到了那一点,你就不应该被抓住
正在查找任何转换错误。您的评论不清楚,因为驱动程序id已经是int。我现在将驱动程序id转换为int,这会引发一个错误,字符串i不正确format@fahad-我试图更新示例代码,但显然无法亲自编译和调试,因为它不完整。不确定您更改了什么,但要非常清楚到处都涉及哪些数据类型,并确保类型匹配-尽量防止发生任何隐式转换。一旦达到这一点,就不应该出现任何转换错误。您的评论不清楚,因为驱动程序id已为int。