用于获取产品ID的参数化查询 [英] Parameterized queries for getting product id

查看:94
本文介绍了用于获取产品ID的参数化查询的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

运行此命令后,出现错误:无效的列名.
我想要的是:显示组合框所选项目的产品ID.

您如何改善呢? 

 字符串 ProductNo = lblrawmatno.Text;
字符串 ProductName = cboproductname.SelectedItem.ToString();
          
           
字符串 sql = "  + ProductName;

SqlCommand cmd =  SqlCommand(sql,cn);

SqlDataReader dr = cmd.ExecuteReader();
dr.Close();

解决方案

 字符串 ProductNo = lblrawmatno.Text;
字符串 ProductName = cboproductname.SelectedItem.ToString();
          
           
字符串 sql = " ;
 
SqlCommand cmd =  SqlCommand(sql,cn);
cmd.Parameters.AddWithValue(" ,ProductName);
 
SqlDataReader dr = cmd.ExecuteReader();
// 在此处读取结果
dr.Close();



您可以改善更多... 

 字符串 sqlQuery = " ;
使用( var  dataConnection =  SqlConnection( connectionString))
{
    使用( var  dataCommand =  SqlCommand( sqlQuery,dataConnection))
    {
        dataCommand.Parameters.AddWithValue(" ,ProductName);
        dataConnection.Open();
         var  reader = dataCommand.ExecuteReader();
        同时(reader.Read()){
                // 做某事
        }
    }
}


用作

 字符串 sql = " ;
 
SqlCommand cmd =  SqlCommand(sql,cn);
cmd.Parameters.AddWithValue(" ,ProductName);
 
SqlDataReader dr = cmd.ExecuteReader();


我猜ProductName是一个基于字符的列,因此您必须在文字上加上引号.否则,SQL会认为您正在按名称引用列:

 字符串 sql = "  + ProductName +  '";  



但是请注意以下几点:请不要那样构造您的SQL.使用SqlParameter可以防止SQL注入攻击.



此致



曼弗雷德(Manfred)


After I run this, I get an error: Invalid column name.
What I want: is to display the Product id of the combobox selected item.

How do you improve this? 

string ProductNo = lblrawmatno.Text;
string ProductName = cboproductname.SelectedItem.ToString();
          
           
string sql = "SELECT ProductNo FROM RawMat WHERE ProductName=" + ProductName;

SqlCommand cmd = new SqlCommand(sql, cn);

SqlDataReader dr = cmd.ExecuteReader();
dr.Close();

解决方案 

string ProductNo = lblrawmatno.Text;
string ProductName = cboproductname.SelectedItem.ToString();
          
           
string sql = "SELECT ProductNo FROM RawMat WHERE ProductName=@ProductName";
 
SqlCommand cmd = new SqlCommand(sql, cn);
cmd.Parameters.AddWithValue("@ProductName", ProductName); 
 
SqlDataReader dr = cmd.ExecuteReader();
// reading the results here 
dr.Close();



you can improve more...

string sqlQuery = "SELECT ProductNo FROM RawMat WHERE ProductName=@ProductName";
using (var dataConnection = new SqlConnection(connectionString))
{
    using (var dataCommand = new SqlCommand(sqlQuery, dataConnection))
    {
        dataCommand.Parameters.AddWithValue("@ProductName", ProductName);
        dataConnection.Open();
        var reader = dataCommand.ExecuteReader();
        while (reader.Read()) {
                //do something
        }
    }
}


Use As

string sql = "SELECT ProductNo FROM RawMat WHERE ProductName=@PName";
 
SqlCommand cmd = new SqlCommand(sql, cn);
cmd.Parameters.AddWithValue("@PName",ProductName);
 
SqlDataReader dr = cmd.ExecuteReader();


I''d guess that ProductName is a character based column, so you''ll have to put quotes around the literal. Otherwise SQL will think you are referencing a column by name:

string sql = "SELECT ProductNo FROM RawMat WHERE ProductName='" + ProductName+"'";



One note of caution though: Please don''t construct your SQL like that. Use SqlParameter as it will prevent SQL injection attacks.

Regards,

Manfred


这篇关于用于获取产品ID的参数化查询的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发语言最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆