怎么写,分开查询 [英] how to write , separated query
本文介绍了怎么写,分开查询的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
"select TaskTimeIn,RIGHT(CONVERT(VARCHAR,TaskTimeIn,100),7)as TimeIn,TaskTimeOut,RIGHT(CONVERT(VARCHAR,TaskTimeOut,100),7)as TimeOut, TaskDescription FROM DailyTimeSheetTrackers where EmployeeId='" + UserLog.UserId + "'',' CreateDateTime='"+StaticKeys.getLocaleDatefromUTC()+"'"
我有些困惑关于这个查询你可以请更正这个查询
I have some confusion about this query can you please correct this query
推荐答案
不,我们不能 - 我们不知道它的意思是什么,它没有,很多更少你不认为它应该做的事情。
但是......不要连接字符串来构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度,这可能会破坏您的整个数据库。请改用参数化查询。
No, we can't - we have no idea what it is meant to do that it doesn't, much less what it doesn't do that you think it should.
But...do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
using (SqlConnection con = new SqlConnection(strConnect))
{
con.Open();
using (SqlCommand cmd = new SqlCommand("SELECT TaskTimeIn,RIGHT(CONVERT(VARCHAR,TaskTimeIn,100),7) AS TimeIn,TaskTimeOut,RIGHT(CONVERT(VARCHAR,TaskTimeOut,100),7) AS TimeOut, TaskDescription FROM DailyTimeSheetTrackers where EmployeeId=@ID AND CreateDateTime=@CT", con))
{
cmd.Parameters.AddWithValue("@ID", UserLog.UserId);
cmd.Parameters.AddWithValue("@CT", StaticKeys.getLocaleDatefromUTC());
...
}
}
它甚至可以解决您的问题......
It may even fix your problem...
这篇关于怎么写,分开查询的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
