Sqldataadapter没有填充数据表。 [英] Sqldataadapter not filling in datatable.

问题描述

此代码无效。当我逐行调试代码转换问题。系统显示错误将varchar转换为日期时间超出范围（类似于此）。



我尝试过：

This code is not working. when i debug the code line by line facing issue of conversion. system show error "Conversion of varchar to datetime is over range (something like that)".

What I have tried:

public DataTable GetAllSessionForDoctor(DateTime dtsession, long locationId)
      {
          SqlCommand cmd = new SqlCommand();
          SqlConnection con = new SqlConnection(Properties.Settings.Default.HMSCon);
          string str = "SELECT  tblEmployee.Employeeid, tblEmployee.EmployeeName + ' ' + tblEmployee.MiddleName + ' ' + tblEmployee.LastName AS [Doctor Name] " +
               " FROM tbluserType INNER JOIN tblEmployee ON tbluserType.utid = tblEmployee.type INNER JOIN " +
               " sessionDoctor ON tblEmployee.Employeeid = sessionDoctor.doctorID INNER JOIN sessionOPD ON sessionDoctor.sessionID = sessionOPD.sessionId INNER JOIN " +
               " tblDoctorCategory ON sessionDoctor.doctorID = tblDoctorCategory.doctorId WHERE (sessionOPD.sessionDate = '" + dtsession + "') AND (tblEmployee.LocationId = " + locationId + ") AND (tbluserType.CEP = 'true') and (tblemployee.EndJob = 'false')";

          SqlDataAdapter da = new SqlDataAdapter(str, con);
          DataTable dt = new DataTable();
          try
          {
              con.Open();
              da.Fill(dt);
              //MessageBox.Show(dt.ToString());
          }
          catch (Exception ex)
          {
              throw new Exception(ex.Message);
          }
          finally
          {
              con.Close();
          }
          return dt;
          //MessageBox.Show(dt.ToString());
      }

推荐答案

不要做那样的事情。永远不要连接字符串来构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度，这可能会破坏您的整个数据库。总是使用参数化查询。



连接字符串时会导致问题，因为SQL会收到如下命令：

Do not do things like that. Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Always use Parameterized queries instead.

When you concatenate strings, you cause problems because SQL receives commands like:

SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'

就SQL而言，用户添加的引号会终止字符串，并且您会遇到问题。但情况可能更糟。如果我来并改为输入：x'; DROP TABLE MyTable; - 然后SQL收到一个非常不同的命令：

The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:

SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;--'

哪个SQL看作三个单独的命令：

Which SQL sees as three separate commands:

SELECT * FROM MyTable WHERE StreetAddress = 'x';

完全有效的SELECT

A perfectly valid SELECT

DROP TABLE MyTable;

完全有效的删除表格通讯和

A perfectly valid "delete the table" command

--'

其他一切都是评论。

所以它确实：选择任何匹配的行，从数据库中删除表，并忽略其他任何内容。



所以总是使用参数化查询！或者准备好经常从备份中恢复数据库。你经常定期备份，不是吗？



在你想到这个问题之前修复你的整个应用程序，几乎可以肯定你会发现你的问题已经同时出现了！

And everything else is a comment.
So it does: selects any matching rows, deletes the table from the DB, and ignores anything else.

So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you?

Fix the whole of your app before you even think about this problem, and almost certainly you will find that your problem has gone at the same time!

这篇关于Sqldataadapter没有填充数据表。的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！