如何在不使用或OPERATOR SQL的情况下使用25个文本框搜索数据 [英] How can I search datas using 25 textboxes without using or OPERATOR SQL

问题描述

我有25个文本框，我需要使用这些文本框进行搜索，我尝试使用OR OPERATOR，但最终它只是将所有数据显示到datagridview中。我不想尝试AND OPERATOR'因为它只会带我做出数百种可能性。



我尝试了什么：

I have 25 text boxes and I need to search using those text boxes, I have tried using OR OPERATOR but eventually it'll just show all the datas into the datagridview. I don't want to try AND OPERATOR 'coz it'll just take me make hundreds of possibilities.

What I have tried:

connection.Open();
SqlDataAdapter da = new SqlDataAdapter("Select ColumnName1,ColumnName2,ColumnName3 from TableName Where ColumnName1 = '" + textBox1.Text + "' AND ColumnName2 = '" + textBox2.Text + "' AND ColumnName3 = '" + textBox3.Text + "'", connection);
SqlDataAdapter da = new SqlDataAdapter("Select ColumnName1,ColumnName2 from TableName Where ColumnName1 = '" + textBox1.Text + "' AND ColumnName3 = '" + textBox2.Text + "'", connection);
SqlDataAdapter da = new SqlDataAdapter("Select ColumnName1 from TableName Where ColumnName1 = '" + textBox1.Text + "'", connection);
DataTable dt = new DataTable();
da.Fill(dt);
dataGridView1.DataSource= dt;
connection.Close();

this只是为3个文本框想象25个文本框：（

this is just for 3 textboxes imagine 25 textboxes :(

推荐答案

从不这样做开始。永远不要连接字符串来构建SQL命令。它让你大开意外或故意的SQL注入攻击可能会破坏整个数据库。请使用参数化查询。



除此之外，为什么要多次创建相同的DataAdapter？为了清楚起见，你的代码有点：

Start off by not doing it like that. Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.

Other than that, why are you creating the same DataAdapter multiple times? Condensing your code a bit for clarity:

SqlDataAdapter da = new SqlDataAdapter(Select1, connection);
SqlDataAdapter da = new SqlDataAdapter(Select2, connection);
SqlDataAdapter da = new SqlDataAdapter(Select3, connection);
DataTable dt = new DataTable();
da.Fill(dt);

前两个没用过t all，因为后续实例会覆盖它们，最后你只得到最终DataAdapter中的选择。



如果你想在SQL中组合结果，你有使用AND和OR：没有一个魔术命令这里有一堆文本项目，在我的数据库中的任何地方找到它们会是什么？

The first two aren't used at all, because the subsequent instances overwrite them, and you end up with just the selection from the final DataAdapter.

If you want to combine results in SQL , you have to use AND and OR: there isn't a magic command for "here's a bunch of text items, find 'em anywhere in my DB will ya?"

首先是google 'SQL注入'...然后意识到结构是不行的



然后创建一个存储过程，它接受25个参数并根据直接构造你的查询sql server ...然后在将文本框中的值传递给你的程序之前，检查它们是否有转义字符或除了你所期望的任何其他内容，如果它只是字符，例如，使正则表达式取所有字母为负数对于任何不那样或类似的东西都要前瞻。您可以合理地集中该代码，因为您不必进行两次：）

Yea well first of all google 'SQL injection' ... then realize the structure is a no-go

Then make a stored procedure that takes 25 parameters and construct your query depending on what directly on the sql server ... then before passing the values from the textboxes on to your procedure, check them for escape caracters or anyting else than what you'd expect basically if it's just characters for instance, make a regex taking all letters with a negative lookahead for anything not that or something like that. You can propably centralize that code as you won't have to make it twice :)

这篇关于如何在不使用或OPERATOR SQL的情况下使用25个文本框搜索数据的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！