我有这个代码,我在这个组合框中有一些字段,但我可以在搜索后获得任何信息 [英] I have this code, and i have some field in this combo box but i can get any information after search
本文介绍了我有这个代码,我在这个组合框中有一些字段,但我可以在搜索后获得任何信息的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我有这个代码,我在这个组合框中有一些字段,但我可以在搜索后获得任何信息。
sql =SELECT * FROM Reg_info where '+ comboBox2.Text +'='+ textBox4.Text +';
我尝试过:
sql =SELECT * FROM Reg_info where'+ comboBox2.Text +'='+ textBox4.Text +';
I have this code, and I have some field in this combo box but I can get any information after search .
sql = "SELECT * FROM Reg_info where '" + comboBox2.Text+ "'='" + textBox4.Text + "'";
What I have tried:
sql = "SELECT * FROM Reg_info where '" + comboBox2.Text+ "'='" + textBox4.Text + "'";
推荐答案
首先,不要这样做。不要连接字符串以构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度,这可能会破坏您的整个数据库。使用参数化查询代替。
你可能对Combobox很好 - 但非常非常仔细地检查它 - 如果它不是一个固定的列表那么你将不得不仔细消毒它。文本框是一个肯定的禁忌 - 任何有权访问它的用户和键盘都可以通过输入来破坏你的数据库...
但是至于为什么你没有任何用处 - 可能是你使用列名称周围的引号。这将它变成一个字符串,这意味着除非文本框包含完全相同的字符串,否则查询将永远不会返回任何记录。
删除引号,检查并清理组合框,并对文本框进行参数设置。
它应该开始工作了。
First off, don't do that. Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
You are probably OK with the Combobox - but check it, very, very carefully - if it's not a fixed list then you are going to have to sanitise it damn carefully. The text box is a definate no-no - any user with access to it and a keyboard can destroy your DB just by typing...
But as to why you get nothing useful - it's probably your use of quotes around the column name. That turns it into a string, and means that unless the text box contains exactly the same string the query will never return any records.
Remove the quotes, check and sanitize your combobox, and parameterise your textbox.
It should start to work then.
plese从下面的combobox2.text.just使用的地方删除单引号
就像
sql =SELECT * FROM Reg_info where+ comboBox2.Text +='+ textBox4。文字+';
plese remove single quotation from where combobox2.text.just use below
like as
sql = "SELECT * FROM Reg_info where " + comboBox2.Text+ " ='" + textBox4.Text + "'";
这篇关于我有这个代码,我在这个组合框中有一些字段,但我可以在搜索后获得任何信息的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
