一个选择查询一个给出结果而另一个同样不是它到底是什么 [英] a select query one is giving result and another same is not what the hell it is

问题描述

cmd.CommandText =选择fname，mbn，kskill，resume，来自reg的电子邮件，其中cl =+ ddlocation.SelectedItem +;

此查询未给出结果

cmd.CommandText = "select fname,mbn,kskill,resume,email from reg where cl="+ddlocation.SelectedItem+"";
this query is not giving result

if (ds.Tables[0].Rows.Count > 0)
           {
               GridView1.DataSource = ds.Tables[0];
               GridView1.DataBind();
           }
           else
           {
               Response.Write("<script> alert('no match found') </script>");
          }

每次控制都会转到其他地方，另一个cmd.CommandText =选择fname，mbn，kskill，resume，来自reg的电子邮件，其中jobtype = ''+ Ddjobtype.SelectedItem +'';查询给出了正确的结果。

i不明白这个数据库是什么问题是正确的，没有错误任何字段或任何列

the control is going to else everytime, and another cmd.CommandText = "select fname,mbn,kskill,resume,email from reg where jobtype=''" + Ddjobtype.SelectedItem + "''"; query giving a correct result.
i did not understand what the problem is this database is correct no mistake with any field or any column

推荐答案

很有可能它与下拉列表的内容有关：当你在第二个例子中引用它时，它可以正常工作，因为SQL知道它会把它当作一个字符串。



然而，使用参数化查询会更好，更好主意：

The chances are that it''s to do with the content of the drop down list: when you put quotes around it as in your second example, it works because SQL knows to expect it as a string.

However, it would be a much, much better idea to use a Parametrized query instead:

cmd.CommandText = "SELECT fname,mbn,kskill,resume,email FROM reg WHERE cl=@CL";
cm.Parameters.AddWithValue("@CL", ddlocation.SelectedItem);

这也有助于保护您免受意外或故意的SQL注入攻击。

This would also help to protect you from accidental or deliberate SQL Injection attacks.

这篇关于一个选择查询一个给出结果而另一个同样不是它到底是什么的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！