如何获得小于VB ASP的行数 [英] How to get the number of rows with less than values VB ASP
本文介绍了如何获得小于VB ASP的行数的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
嘿伙计们,我想得到值的行数小于我的标签时
i修复值并且这样做就好了:
hey guys i want to get the number of rows who is the values is less than my labels when
i fix the values and doit like this it work fine:
con.Open()
cmd.CommandText = "select * from tblprodinfo where quantity<5 "
but when i do this
What I have tried:
<pre> con.Open()
cmd.CommandText = "select * from tblprodinfo where quantity<'" & cl.Text & "' "
rdr = cmd.ExecuteReader
If rdr.HasRows Then
While rdr.Read
crit.Text = Val(crit.Text) + 1
End While
End If
con.Close()
它不能正常工作
its not working propoerly
推荐答案
永远不要那样做!永远不要连接字符串来构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度,这可能会破坏您的整个数据库。请改用参数化查询。
首先检查用户输入:使用Integer.TryParse将其转换为Integer值:
Never do that! Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
Start by checking the user input: use Integer.TryParse to convert it to an Integer value:
Dim quant As Integer
If Not Integer.TryParse(cl.Text, quant) Then
' Report problem to user
...
Return
End If然后通过参数将转换后的值传递给SQL:
Then pass the converted value to SQL via a parameter:
cmd.CommandText = "SELECT * FROM tblprodinfo WHERE quantity < @QTY"
cmd.Parameters.AddwithValue("@QTY", quant)
rdr = cmd.ExecuteReader
为什么要烦扰DataReader&手动计算每一行?
Why bother with a DataReader & manually count each row?
con.Open()
cmd.CommandText = "SELECT COUNT(*) FROM tblprodinfo WHERE quantity < @QTY"
cmd.Parameters.AddwithValue("@QTY", quant)
crit.Text = cmd.ExecuteScalar.Tostring
con.Close()
你应该优化你的问题!
不清楚什么是工作,什么不工作:它正常工作和它不能正常工作。
我的猜测是你应该删除单引号 在你的第二个查询。
永远不要通过连接用户输入来构建SQL查询,它被命名为SQL注入,它对你的数据库和错误是危险的倾向。
名称中的单引号和程序崩溃。如果像Brian O'Conner这样的用户输入可能会使您的应用程序崩溃,那么这是一个SQL注入漏洞。
SQL注入 - 维基百科 [ ^ ]
SQL注入 [ ^ ]
You should refine your question !
It is not clear what work and what don't :it work fineandits not working propoerly.
My guess is that you should remove the single quotes "'" in you second query.
Never build an SQL query by concatenating with user inputs, it is named "SQL injection", it is dangerous for your database and error prone.
A single quote in a name and your program crash. If a user input like "Brian O'Conner" can crash your app, it is an SQL injection vulnerability.
SQL injection - Wikipedia[^]
SQL Injection[^]
这篇关于如何获得小于VB ASP的行数的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
