C#从文本框中选择值并相乘 [英] C# select value from textbox and multiply
问题描述
如何
How to
Select pre_kod,ing_pav, pre_ska*100/1000, san_kod from v_gaminiai where gam_kod='40010100'
$ C $ b in C#?
Pre_ska * TextBox / 1000
我尝试过:
in C# ?
Pre_ska * TextBox / 1000
What I have tried:
OdbcDataAdapter sdf = new OdbcDataAdapter("Select pre_kod,ing_pav, pre_ska(* " + Convert.ToDouble(GAM_SKA.Text) + " /1000), san_kod from v_gaminiai where gam_kod='" + txt_pre_kod.Text.ToString() + "'", conn);
推荐答案
移动括号,不要那样做!永远不要连接字符串来构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度,这可能会破坏您的整个数据库。改为使用参数化查询。
连接字符串时会导致问题,因为SQL会收到如下命令:
Move the bracket, and don't do it like that! Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
When you concatenate strings, you cause problems because SQL receives commands like:
SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'就SQL而言,用户添加的引号会终止字符串,并且您会遇到问题。但情况可能更糟。如果我来并改为输入:x'; DROP TABLE MyTable; - 然后SQL收到一个非常不同的命令:
The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:
SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;--'哪个SQL看作三个单独的命令:
Which SQL sees as three separate commands:
SELECT * FROM MyTable WHERE StreetAddress = 'x';完全有效的SELECT
A perfectly valid SELECT
DROP TABLE MyTable;完全有效的删除表格通讯和
A perfectly valid "delete the table" command
--'其他一切都是评论。
所以它确实:选择任何匹配的行,从数据库中删除表,并忽略其他任何内容。
所以总是使用参数化查询!或者准备好经常从备份中恢复数据库。你定期做备份,不是吗?
目前,你的查询是错误的SQL。如果使用100和Hello作为输入手动展开它,SQL会显示如下字符串:
And everything else is a comment.
So it does: selects any matching rows, deletes the table from the DB, and ignores anything else.
So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you?
As it stands, your query is bad SQL. If you manually expand it using "100" and "Hello" as the inputs, SQL is presented with a string like this:
Select pre_kod,ing_pav, pre_ska(* 100.0 /1000), san_kod from v_gaminiai where gam_kod='Hello'这不对:Sql必须假设 pre_ska 是一个函数,并且试图弄清楚参数是什么!它不能,你得到函数和/或参数的错误。
与此比较:
That isn't right: Sql has to assume pre_ska is a function, and tries to work out what the heck the parameter is! It can't, and you get a error for the function and / or the parameter.
Compare with this:
SELECT pre_kod,ing_pav, pre_ska * (100.0 / 1000.0), san_kod FROM v_gaminiai WHERE gam_kod='Hello'并且它更容易理解 - 但是使用double.TryParse来转换文本框值(向用户报告问题)而不是Convert.ToDouble并使用参数化查询来传递两个值。
and it's much more understandable - but use double.TryParse to convert the textbox value (reporting problems to the user) instead of Convert.ToDouble and use parameterised queries to pass both values.
工作:
Work this:
"Select gam_kod,pap_kod, pap_ska=(pap_ska * " + Convert.ToDouble(GAM_SKA.Text) + " /1000), pap_sum=(pap_sum * " + Convert.ToDouble(GAM_SKA.Text) + " /1000) from gaminys1p where gam_kod='" + txt_pre_kod.Text.ToString() + "'", conn);
这篇关于C#从文本框中选择值并相乘的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
