我想使用crystal report从我的数据库中创建VB报表。 [英] I want to create report in VB, net from my database using crystal report.

问题描述

您好，

我是Crystal Reports和vb.net的初学者。我想拆分我的数据库列并在report和datagridview中显示这些列。请尽快帮助我。



我尝试了什么：



我找到了代码，但我没有。

解决方案

永远不要那样做！永远不要连接字符串来构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度，这可能会破坏您的整个数据库。改为使用参数化查询。



连接字符串时会导致问题，因为SQL会收到如下命令：

  SELECT  *  FROM  MyTable  WHERE  StreetAddress = '  Baker' s Wood '   

就SQL而言，用户添加的引号会终止字符串，并且您会遇到问题。但情况可能更糟。如果我来并改为输入：x'; DROP TABLE MyTable; - 然后SQL收到一个非常不同的命令：

  SELECT  *  FROM  MyTable  WHERE  StreetAddress = '  x';  DROP  表 MyTable;   -   ' 

哪个SQL看作三个单独的命令：

  SELECT  *  FROM  MyTable  WHERE  StreetAddress = '  x'; 

完全有效的SELECT

  DROP   TABLE  MyTable; 

完全有效的删除表格通讯和

   -   ' 

其他一切都是评论。

所以它确实：选择任何匹配的行，从数据库中删除表，并忽略其他任何内容。



所以总是使用参数化查询！或者准备好经常从备份中恢复数据库。你经常定期备份，不是吗？



你的SQL表示更深层次的缺陷：你取一个DateTime值，把它转换成你C＃代码中的一个字符串，然后使用SQL将该字符串转换为...一个字符串，然后尝试将其用作BETWEEN语句中的Date。这意味着你的order_date列是一个字符串，这意味着你的BETWEEN将失败，因为它使用字符串比较，停止在两个字符串中的第一个不同的字符。所以

'31 -01-1900'在'01 -12-2017之后'，因为'3'在字符集中的'0'后面，并且SQL将停止查看该点。 />


将数据库更改为使用DATE，DATETIME或DATETIME2存储日期，并在修复应用程序中的所有其他连接时直接通过参数化查询传递DateTime值！



然后你可以解释一下拆分我的专栏实际意味着什么......但是这将需要等到你有一个安全的代码库来工作...

Hello,
I am beginner in Crystal Reports and vb.net. I want to split my database columns and show that columns in report and also in datagridview. Please help me asap.

What I have tried:

I was find the code but i didn't.

解决方案

Never do it like that! Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.

When you concatenate strings, you cause problems because SQL receives commands like:

SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'

The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:

SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;--'

Which SQL sees as three separate commands:

SELECT * FROM MyTable WHERE StreetAddress = 'x';

A perfectly valid SELECT

DROP TABLE MyTable;

A perfectly valid "delete the table" command

--'

And everything else is a comment.
So it does: selects any matching rows, deletes the table from the DB, and ignores anything else.

So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you?

And your SQL indicates deeper flaws: You take a DateTime value, convert it to a string in your C# code, then use SQL to convert that string to ... a string, which you then try to use as a Date in a BETWEEN statement. That implies that your order_date column is a string, which means that your BETWEEN will fail, as it uses string comparisons which stop at the first different character in the two strings. So
'31-01-1900' is after '01-12-2017' because '3' is after '0' in the character set, and SQL will stop looking at that point.

Change your DB to use DATE, DATETIME, or DATETIME2 to store your dates, and pass the DateTime value directly via a parameterised query while you fix all the other concatenations in your application!

Then you can explain what "split my column" actually means ... but that will have to wait until you have a "safe" code base to work from...

这篇关于我想使用crystal report从我的数据库中创建VB报表。的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！