如何从表中搜索多个记录 [英] How to search multiple record from table

问题描述

如何在单个文本框中搜索多个记录，用表格中的逗号分隔并使用asp.net和vb.net在网格视图中显示我准备代码以在网格视图中显示但我一次只能显示一条记录我希望显示多条记录，任何人都可以帮助我。这是现有代码



我尝试过：

How to search multiple records in single text box sepeerated with comma from table and display in grid view using asp.net and vb.net i prepare the code for to display in grid view but i can display only one record at a time i want to display more than one record can anyone help me in this.Below is the existing code

What I have tried:

If txtReferenceNo.Text <> "" Then
            If filter.Trim() = "" Then
                filter = " WHERE ReferenceNo ='" & txtReferenceNo.Text & "'"
            Else
                filter = filter & " AND ReferenceNo ='" & txtReferenceNo.Text & "'"
End if 
End if

推荐答案

从一开始你的方法就错了。通过串联从UI获取的字符串组成的查询。不仅重复的字符串连接是低效的（因为字符串是不可变的;我是否必须解释为什么它会使重复连接变坏？），但是有更重要的问题：它打开了通向良好的大门已知的漏洞称为 SQL注入。



这是它的工作原理： http://xkcd.com/327 。



你明白了吗？从控件中获取的字符串可以是任何东西，包括......一段SQL代码。



怎么办？只需阅读有关此问题和主要补救措施：参数化语句： http://en.wikipedia.org/ wiki / SQL_injection 。



使用ADO.NET，使用：http://msdn.microsoft.com/en-us/library/ff648339.aspx 。



请参阅我过去的答案有更多细节：

在com.ExecuteNonQuery中更新EROR（ ）; ，

嗨名字没有显示在名称中？。



现在，从表中搜索多条记录......甚至不是主题。这是一个叫做SQL的事情... :-)

-SA

Your approach is wrong from the very beginning. The query composed by concatenation with strings taken from UI. Not only repeated string concatenation is inefficient (because strings are immutable; do I have to explain why it makes repeated concatenation bad?), but there is way more important issue: it opens the doors to a well-known exploit called SQL injection.

This is how it works: http://xkcd.com/327.

Are you getting the idea? The string taken from a control can be anything, including… a fragment of SQL code.

What to do? Just read about this problem and the main remedy: parametrized statements: http://en.wikipedia.org/wiki/SQL_injection.

With ADO.NET, use this: http://msdn.microsoft.com/en-us/library/ff648339.aspx.

Please see my past answers for some more detail:
EROR IN UPATE in com.ExecuteNonQuery();,
hi name is not displaying in name?.

Now, "search multiple record from table"… is not even a topic. This is a matter of such thing called SQL… :-)

—SA

if您正在vb代码中形成动态查询，确保您已采取措施阻止 SQL注入 [ ^ ]

如果是，请参阅以下链接你非常关心你的应用程序来预防攻击

sql server - 参数化一个SQL IN子句 - Stack Overflow [ ^ ]

< a href =http://stackoverflow.com/questions/9384446/how-to-pass-sqlparameter-to-in>如何将sqlparameter传递给IN（）？ - 堆栈溢出 [ ^ ]

if you are forming the dynamic query in the vb code, ensure that you have taken measures to prevent SQL Injection[^]
refer the below links if you are really care about your application to prevet attacks
sql server - Parameterize an SQL IN clause - Stack Overflow[^]
How to pass sqlparameter to IN()? - Stack Overflow[^]

Dim Filter As String = " Select * from TableName "
       Dim inQuery As String = ""
       Dim csvRefNo As String = txtReferenceNo.Text.Trim.TrimEnd(",").TrimStart(",")
       If Not String.IsNullOrWhiteSpace(csvRefNo) Then
           Dim refNos() As String = csvRefNo.Split(New String() {","}, StringSplitOptions.RemoveEmptyEntries)
           For Each refNo As String In refNos
               inQuery = (inQuery + String.Format("'{0}',", refNo.Replace("'", "")))
           Next
           inQuery = inQuery.Trim.TrimEnd(",")
           inQuery = " where ReferenceNo IN ( " + inQuery + " )"
       End If

       Filter = (Filter + inQuery)

如果你想在你的情况下分隔逗号，而不是

If you want to pass comma separated then in your case instead of

ReferenceNo ='" & txtReferenceNo.Text & "'"

你应该使用

ReferenceNo IN  ('" & txtReferenceNo.Text & "')"

这篇关于如何从表中搜索多个记录的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！