这段代码中的错误是什么 [英] What Is The Erorr in this code
问题描述
SqlConnection con = 新 SqlConnection(" 数据源= MOSTAFA;初始目录= mohasba;集成安全性= True");
DataSet ds = 新 DataSet();
SqlDataAdapter da = 新 SqlDataAdapter();
da.SelectCommand = con.CreateCommand();
da.SelectCommand.CommandText = " + comboBox1.SelectedIndex + '";
da.Fill(ds," );
dataGridView1.DataSource = ds;
dataGridView1.DataMember = " ;
当我使用此代码时,它返回空数据,但是当我在sql server中使用此命令返回数据"时,请参阅我对问题的评论. />
要确保通过查询获得的数据集不为空,请创建一个数据读取器并进行检查.数据读取器与数据库模式无关,它可以向您显示查询的完整结果.
例如:
字符串 queryText = // 新 SqlCommand(queryText);
SqlDataReader reader = command.ExecuteReader();
布尔空=!reader.HasRows;
// ...
reader.Close();
当您仅开始使用某些数据库并且可能想调查其中的内容并验证要创建的数据集的结构时,数据读取器非常方便.请参阅:
http://msdn.microsoft.com/en-us/library/system. data.sqlclient.sqldatareader.aspx [ ^ ].
还有另一个问题,一个更大的问题.
您正在通过UI将查询组成为字符串.这不仅是糟糕的体系结构,而且非常糟糕,并且从安全角度来看绝对是不能接受的.使用SQP注入可以轻松入侵系统 .请参阅:
http://en.wikipedia.org/wiki/SQL_injection [ http://en.wikipedia.org/wiki/Prepared_statement [ http://msdn.microsoft.com/en-us/library/yy6y35y8.aspx [ ^ ].
看看那个comboBox1.SelectedIndex:这是一个数字,而不是字符串.我想你把它和comboBox1.Text混在一起了; "ism"的意思是……的名称,不是……的名称,而不是……的数量.
字符集不兼容,将复制的阿拉伯词更改为无意义的字符.
SqlConnection con = new SqlConnection("Data Source=MOSTAFA;Initial Catalog=mohasba;Integrated Security=True");
DataSet ds = new DataSet();
SqlDataAdapter da = new SqlDataAdapter();
da.SelectCommand = con.CreateCommand();
da.SelectCommand.CommandText = "select sum(مدين) AS مدين,sum (دائن) AS دائن from اذن_قيد where اسم_البيان='" + comboBox1.SelectedIndex + "'";
da.Fill(ds, "اذن_قيد");
dataGridView1.DataSource = ds;
dataGridView1.DataMember = "اذن_قيد";
When i use this code, it return null data But When i use this command in sql server "Return Data"
Please see my comment to the question.
To make sure the data set obtained through the query in not empty, create a data reader and check it. Data reader is agnostic to the database schema, it can show you the complete result of the query.
For example:string queryText = //... SqlCommand command = new SqlCommand(queryText); SqlDataReader reader = command.ExecuteReader(); boo empty = !reader.HasRows; //... reader.Close();
The data reader is very convenient when you only start to work with some database and may want to investigate what''s in it and validate the structure of data sets you are going to create. Please see:
http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqldatareader.aspx[^].
There is another problem, a bigger one.
You are composing your query as a string from the UI. Not only this is bad architecture, this is very bad and absolutely not acceptable from the security stand point. You system can be easily intruded using SQP Injection. Please see:
http://en.wikipedia.org/wiki/SQL_injection[^].
In the article referenced above, read about importance of parametrized statements, see also:
http://en.wikipedia.org/wiki/Prepared_statement[^].
Other parameters of the query (those written in Arabo-Persian script, if I''m not mistaken), are now hard-coded, but sooner or later you will have to parametrize them, and that will bring you to the same problem.
To do it in a safe, consistent and maintainable way, you should use parametrized commands, nothing else. Please see:
http://msdn.microsoft.com/en-us/library/yy6y35y8.aspx[^].
—SA
Look at thatcomboBox1.SelectedIndex: that is a number, not a string. I guess you mixed it up withcomboBox1.Text; "ism" means name of ..., doesn''t it, and not number of ....
Edit: characterset incompatibilty, the copied arab word was changed into nonsense characters.
这篇关于这段代码中的错误是什么的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
