传递参数时此代码有什么问题 [英] whats wrong with this code while passing param

问题描述

string sql = "select * from   tblVehicle where CAST(floor( CAST( Vehentrytime AS FLOAT ) )AS DATETIME) = '11/4/2011' ";

上面的代码很好用
但是例如当时间在字符串中时

the above code works fine
but when the time is in string for example

string myDate = System.DateTime.Now.ToString("MM/dd/yyyy");

现在查询就像

and the query is now like

string sql = "select * from   tblVehicle where CAST(floor( CAST( Vehentrytime AS FLOAT ) )AS DATETIME) = "+myDate+"";

无法获得数据

第二个查询中有任何错误吗?
请告诉我错误在哪里?
关于bishnu karki

the datas are not obtained

is there any error in the second query?
please inform me where is the mistake?
with regards bishnu karki

推荐答案

在调试器中查看SQL.您是否错过了单引号?另外，作为提示，我会使用DateTime.UtcNow(如果您在英国)，因为这样可以避免GMT/BST差异.

(最好将日期参数化.)

Have a look in the debugger at the SQL. Are you missing the single quotes? Also, as a tip I''d use DateTime.UtcNow (if you''re in the uk) as this avoids GMT/BST differences.

(Better yet, paramaterise the date).

尝试添加单引号.

Try by adding single quotes.

string sql = "select * from   tblVehicle where CAST(floor( CAST( Vehentrytime AS FLOAT ) )AS DATETIME) = '" + myDate + "'";

其他几点-
1)不知道为什么要使用CAST ... AS FLOAT.
2)不知道为什么要使用floor.
3)考虑使用" SQL注入"而不是使用参数化查询，普通的串联查询可能会有风险.

Couple of more points -
1) Not sure why you are using CAST ... AS FLOAT.
2) Not sure why you are using floor.
3) Plain concatenated Queries may be risky considering "SQL Injection", instead use Parametrized Queries.

谢谢raiskazi ur代码确实对我有很大的帮助. .

thank you raiskazi ur code really helped me a lot thanks...

这篇关于传递参数时此代码有什么问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！