您尝试执行不包含指定表达式“Student_Images”的查询作为聚合函数的一部分。 [英] You tried to execute a query that does not include the specified expression 'Student_Images' as part of an aggregate function.

问题描述

这是我的代码

This is my code

Da = New OleDbDataAdapter("SELECT A.AdmissionID,A.FatherFN,A.FatherLN,A.FatMob,A.MotMob,A.SMSNo,A.SSession,A.AdmissionNo,A.BusFacility,R.SName,R.RollNo,R.ClassName,sum(S.Credit),sum(S.Debit),A.Student_Images " &
                                      "from ((Admission A " &
                                      "INNER JOIN StudentAccount S ON A.AdmissionID = S.AdmissionID) " &
                                      "INNER JOIN MasterRollNo R ON A.AdmissionID = R.AdmissionID) " &
                                      "where R.ExamName='" & ComboBox1.Text & "' and R.ClassName='" & ComboBox2.Text & "' " &
                                      "GROUP BY A.AdmissionID,A.FatherFN,A.FatherLN,A.FatMob,A.MotMob,A.SMSNo,A.SSession,A.AdmissionNo,A.BusFacility,R.SName,R.RollNo,R.ClassName", Conn)

推荐答案

您的代码容易受到 SQL注入 [ ^ 。 从不使用字符串连接来构建SQL查询。 总是使用参数化查询。



错误信息非常清楚 - 您的查询包含 Student_Images 列，它不是 GROUP BY 子句的一部分，并且不包含在聚合函数中。将列添加到 GROUP BY 子句，或使用聚合函数。

Your code is vulnerable to SQL Injection[^]. NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.

The error message is quite clear - your query includes the Student_Images column, which is not part of the GROUP BY clause, and is not included in an aggregate function. Either add the column to the GROUP BY clause, or use an aggregate function.

Da = New OleDbDataAdapter("SELECT A.AdmissionID, A.FatherFN, A.FatherLN, A.FatMob, A.MotMob, A.SMSNo, A.SSession, A.AdmissionNo, A.BusFacility, R.SName, R.RollNo, R.ClassName, sum(S.Credit), sum(S.Debit), A.Student_Images " &
    "FROM ((Admission A " &
    "INNER JOIN StudentAccount S ON A.AdmissionID = S.AdmissionID) " &
    "INNER JOIN MasterRollNo R ON A.AdmissionID = R.AdmissionID) " &
    "WHERE R.ExamName = ? And R.ClassName = ? " &
    "GROUP BY A.AdmissionID, A.FatherFN, A.FatherLN, A.FatMob, A.MotMob, A.SMSNo, A.SSession, A.AdmissionNo, A.BusFacility, R.SName, R.RollNo, R.ClassName, A.Student_Images", Conn)

' OleDb doesn't use named parameters, so only the order matters here:
Da.SelectCommand.Parameters.AddWithValue("ExamName", ComboBox1.Text)
Da.SelectCommand.Parameters.AddWithValue("ClassName", ComboBox2.Text)

< a href =http://www.troyhunt.com/2013/07/everything-you-wanted-to-know-about-sql.html>你想知道关于SQL注入的一切（但不敢问） |特洛伊亨特 [ ^ ]

如何在没有技术术语的情况下解释SQL注入？ |信息安全堆栈交换 [ ^ ]

查询参数化备忘单| OWASP [ ^ ]

SQL注入攻击机制Pluralsight [ ^ ]

Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]
SQL injection attack mechanics | Pluralsight [^]

这篇关于您尝试执行不包含指定表达式“Student_Images”的查询作为聚合函数的一部分。的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！