更正SQL查询 [英] Correct the SQL queries
本文介绍了更正SQL查询的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
select SheetNo,TotalDays,COALESCE(CONVERT(CHAR(8), FDate, 1), '''') + ''-''+ COALESCE(CONVERT(CHAR(8), TDate, 1), '''') AS Peroids,VehicleNo,Driver1+''/''+Driver2 as Driver,Tfrieght as Frieght,TDQty as Diesel_Qty,TDAmt as Diesel_Amt,TEAmt as Expense,NetBal,TKM,Mile as Milage from TripSheet where convert(datetime, EDate, 103) between ''" & dtp_from.Value.Date & "'' and ''" & dtp_to.Value.Date & "'' and Driver1=''" & cb_sublist.Text & "'' union all select SheetNo,TotalDays,COALESCE(CONVERT(CHAR(8), FDate, 1), '''') + ''-''+ COALESCE(CONVERT(CHAR(8), TDate, 1), '''') AS Peroids,VehicleNo,Driver1+''/''+Driver2 as Driver,Tfrieght as Frieght,TDQty as Diesel_Qty,TDAmt as Diesel_Amt,TEAmt as Expense,NetBal,TKM,Mile as Milage from TripSheet where convert(datetime, EDate, 103) between ''" & dtp_from.Value.Date & "'' and ''" & dtp_to.Value.Date & "'' and Driver2='' " & cb_sublist.Text & " ''
这是正确的方法吗?...
Is this correct od not....
推荐答案
我们怎么知道?
我们不知道您的数据库是什么样子!
但是-尽管很大,但是-不要串联字符串来构建SQL命令.它使您对意外或蓄意的SQL注入攻击敞开大门,这可能会破坏整个数据库.改为使用参数化查询.
How would we know?
We have no idea what your database looks like!
But - and it''s a big but - do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
这篇关于更正SQL查询的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
