作者however1983 ()
看板Visual_Basic
标题[.NET] SQL查询时利用变数当参数的问题
时间Fri Mar 16 12:46:32 2007
一直被这一个看似简单的问题困扰了很久,
在利用SelectCommand时我把一个变数当作SQL where条件的参数,
程式码如下:
Protected Sub Button1_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles Button1.Click
Dim TaskID As String
Dim SeqID As String
Dim Seq As String
TaskID = Me.DropDownList1.SelectedValue
Dim sds2 As New System.Web.UI.WebControls.SqlDataSource
sds2.ConnectionString = "Data Source=SHANE;Initial Catalog=AS;Persist Security Info=True;User ID=sa;Password=5408"
sds2.SelectCommand = "select [顺序编码] from [Tasks] where 任务ID = '" & TaskID & "'"
Dim dv2 As Data.DataView = sds2.Select(New DataSourceSelectArguments)
Me.GridView2.DataSource = dv2
SeqID = dv2.Item(0).Item(0)
Response.Write(SeqID)
Dim sds As New System.Web.UI.WebControls.SqlDataSource
sds.ConnectionString = "Data Source=SHANE;Initial Catalog=AS;Persist Security Info=True;User ID=sa;Password=5408"
sds.SelectCommand = "select * from [Tasks]
where (顺序编码 like '%" & SeqID & "%')"
Dim dv As Data.DataView = sds.Select(New DataSourceSelectArguments)
Me.GridView1.DataSource = dv
Me.GridView1.DataBind()
End Sub
重点在 (顺序编码 like '%" & SeqID & "%')
虽然在SeqID连接两个%字元,可是查询的结果跟没有连接%的结果一样...
但若是先传入一个固定值给SeqID,例如 SeqID=123 这样的结果就会正确。
我想可能是SeqID & "%" 後中间会多一个空白字元(例如:123 %,而非123%)所造成的。
这个问题让我这个程式新手想了蛮久的,也搜寻不到相关的资讯,
希望有人能指点一下,谢谢!
--
※ 发信站: 批踢踢实业坊(ptt.cc)
◆ From: 140.113.108.132
1F:推 LPH66:改用 str(SeqID) 03/16 15:33
2F:推 seagal:最好不要用字串组合的方式下SELECT 03/16 15:41
3F:推 seagal:会有SQL injection的问题 03/16 15:41
4F:推 however1983:感谢!我用L大的方法可以解决中间空一格的问题了! 03/16 15:52
5F:→ however1983:可是还是select不出东西 囧 03/16 15:52
6F:→ however1983:把SeqID response.write出来的数字代进去可以,可是 03/16 15:55
7F:→ however1983:用" & Seq & "代进去就是没结果 ... 03/16 15:56
8F:推 however1983:可以了! 感谢s大~我用long的型态代进去就没问题罗~ 03/16 16:03
9F:推 fumizuki:dv2.Item(0).Item(0).Value.ToString() 这样写比较好? 03/17 08:55
10F:推 fumizuki:Replace(SeqID, "'", "''") 一个单引号取代为2个单引号 03/17 08:55
11F:推 however1983:感谢版大的建议! 03/17 18:22