用于request.query字符串的C#代码 [英] C# code for request.query string

问题描述

我想从gridview中选择其reqest.query字符串为chat giv c#代码的数据

i want to select data from gridview whose reqest.query string is chat giv c# code for this

string up = Request.QueryString[suupliername];
   GridView1.DataSource = obj.selectmultiple("select distinct cat from data1 where supplier="+up+" ");

我在此代码中出现错误是invallide列名称，但我检查了所有列名称是否正确，因此我在此代码中更改了什么??

i got error in this code is invallide colums name but i chek all colums name are right in data base so what i change in this code???

推荐答案

我们可以"没有具体回答.有很多可能性.

1)检查您是否已连接到正确的数据库.
2)检查表"data1"是否存在于数据库中.
3)检查"data1"表中是否同时存在"cat"和"supplier"列.
4)检查"up"是否不包含任何奇数字符，例如空格，分号等.

而且无论如何不要那样做！不要连接字符串以构建SQL命令.它使您对意外或蓄意的SQL注入攻击敞开大门，这可能会破坏整个数据库.改为使用参数化查询.

We can''t specifically answer that. There are so many possibilities.

1) Check you are connected to the right database.
2) Check that the table "data1" exists in the db.
3) Check that both the "cat" and "supplier" columns exist in the "data1" table.
4) Check that "up" does not contain any odd characters, like space, semicolon, etc.

And don''t do it like that anyway! Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.

编写代码以获取网格数据的方式存在很多问题.不建议以这种方式编写代码来获取数据.您可以在此处提出多个问题.您没有检查任何无效的东西.

您应该使用ADO.NET，其中参数化查询将为您获取数据.如果需要，请进行空/空检查.
看看这些有关如何检索数据的信息:
通过C#访问SQL Server的入门指南 [ ^ ]
MSDN:使用ADO.NET访问数据 [ ^ ]

在数据集/数据表中获取数据，然后将其绑定到网格.

顺便说一句，根据您的变量名，看起来供应商名是一个字符串.如果是这样，则从预期的字符串比较来看，您形成的查询是不正确的.为什么要使用参数化查询的另一个原因. 正确的查询:

The way you have written code to get data for your grid has lots of issues. It''s not recommended to write your code in this fashion to get data. You can have multiple issues out here. You are not checking for anything invalid.

You should use ADO.NET, where parameterized queries fetch data for you. Have null/empty checks if needed.
Have a look at these on how to retrieve data:
Beginners guide to accessing SQL Server through C#[^]
MSDN: Accessing Data with ADO.NET[^]

Get the data in a dataset/datatable and then bind it to grid.

BTW, based on your variable names, it looks like suppliername is a string. If so, your query formed is incorrect from string comparison prospective. Another reason of why you should use parameterized query.
Correct query:

GridView1.DataSource = obj.selectmultiple("select distinct cat from data1 where supplier='"+up+"'");

是给出无效列错误还是数据类型转换错误?
因为供应商="+ up +"，如果这部分是varchar列，则此部分应类似于供应商=" + up +''.

Is it giving inavid column error or datatype conversion error?
Because supplier="+up+" this part should be like supplier=''"+up+"'' if it is varchar column.

这篇关于用于request.query字符串的C#代码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！