我如何...我将checklistbox中的数据转换为字符串，并将该字符串传递给in运算符的sql查询 [英] How do I...I am getting a data from checklistbox into a string and pass that string into a sql query for in operator

问题描述

大家好......



我从checklistbox获取数据到字符串中并将该字符串传递给运算符的sql查询。但我的编码是不工作。我告诉你。

Hi Everyone...

I am getting a data from checklistbox into a string and pass that string into a sql query for in operator.But My coding is not working.I show you.

CheckedInvoiceNo = ""
       'Dim ff As New frmSalePerformaReport
       For I = 0 To chklistbx.Items.Count - 1
           If chklistbx.GetItemChecked(I) = True Then
               CheckedInvoiceNo = CheckedInvoiceNo + "," + chklistbx.Items(I).ToString()
           End If
       Next
       sql = "select PFDate,PFNo,CustType,Party,PartyCode,SaleNo,SaleDate,InvHeading,SaleType,Mode,Transporter from sale where PFNo in '" & CheckedInvoiceNo & "'"

------------------------

编辑：添加OP最初作为解决方案提交的信息。

------------------------
Added information that OP originally submitted as a solution.

Quote：

我将数据输入checkinvoiceNo.But我的附加字符串的语法不正确



我得到的那样checkinvoice no = NZ-SP / 13-14 / 00002，NZ-SP / 13-14 / 00001，



但我想得到那样的检查号码''NZ-SP / 13-14 / 00002'，'NZ-SP / 13-14 / 00001'

I am getting data into checkinvoiceNo.But My syntax of append a string is not correct

I am getting like that checkinvoice no = NZ-SP/13-14/00002 ,NZ-SP/13-14/00001 ,

But I wanna get like that checkinvoice no = 'NZ-SP/13-14/00002' , 'NZ-SP/13-14/00001'

推荐答案

首先，你不应该像你在

First of all, you should not "inject" value directly into your sql query like what you did

in '" & CheckedInvoiceNo & "'"

为了避免sql注入，请阅读更多相关信息这里有 SQL注入攻击和一些提示如何防止他们 [ ^ ]。



其次，你的sql查询构造不正确，请查看这些：

1. SQL选择 [ ^ ]

2. SQL IN [ ^ ]

to avoid sql injection, read more about it here SQL Injection Attacks and Some Tips on How to Prevent Them[^].

Secondly, you sql query is not constructed correctly, check these out:
1. SQL Select[^]
2. SQL IN[^]

Quote：

我将数据输入checkinvoiceNo.But我的语法是追加字符串不是正确



我得到的那样checkinvoice no = NZ-SP / 13-14 / 00002，NZ-SP / 13-14 / 00001，



但是我想得到那样的检票号='NZ-SP / 13-14 / 00002'， 'NZ-SP / 13-14 / 00001'

I am getting data into checkinvoiceNo.But My syntax of append a string is not correct

I am getting like that checkinvoice no = NZ-SP/13-14/00002 ,NZ-SP/13-14/00001 ,

But I wanna get like that checkinvoice no = 'NZ-SP/13-14/00002' , 'NZ-SP/13-14/00001'

我建议您使用StringBuilder构建CheckedInvoiceNo。这样的事情：

I would recommend that you use a StringBuilder to construct "CheckedInvoiceNo". Something like this:

Dim CheckedInvoiceNo As New System.Text.StringBuilder()
For Each CheckedItem As Object In chklistbx.CheckedItems
   If CheckedInvoiceNo.Length > 0 Then ' a prior item was added, so add a comma
      CheckedInvoiceNo.Append(","c)
   End If
   CheckedInvoiceNo.Append("'"c)
   CheckedInvoiceNo.Append(CheckedItem.ToString())
   CheckedInvoiceNo.Append("'"c)
Next

' note: I modified the "In" expresion
sql = "select PFDate,PFNo,CustType,Party,PartyCode,SaleNo,SaleDate,InvHeading,SaleType,Mode,Transporter from sale where PFNo IN (" & CheckedInvoiceNo.ToString() & ")"

另外，请注意Pete Leow关于参数化查询的评论。

Also, please pay heed to Pete Leow's comments about parameterized queries.

这篇关于我如何...我将checklistbox中的数据转换为字符串，并将该字符串传递给in运算符的sql查询的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！