111,125
社区成员
发帖
与我相关
我的任务
分享
...全文
请发表友善的回复…
发表回复
yixianggao 2009-09-22
- 打赏
- 举报
字符串拼接是很不可取滴,建议使用 Parameters 添加参数,
有时间看看 SqlHelper 或者企业库就明白了!
有时间看看 SqlHelper 或者企业库就明白了!
waya1222 2009-09-22
- 打赏
- 举报
用String.format()比较好!
zisefengye 2009-09-22
- 打赏
- 举报
public DataTable GetInfomation(int id,string name)
{
string sql = "select * from [tablename] where ID = @ID and Name = @Name ";
SqlCommand command = new SqlCommand(sql,connection);
command.Parameters.AddWithValue("@ID",id)
command.Parameters.AddWithValue("@Name",name);
SqlDataAdapater sda = new SqlDataAdapter(command);
DataTable dt = new DataTable();
sda.Fill(dt);
return dt;
}
{
string sql = "select * from [tablename] where ID = @ID and Name = @Name ";
SqlCommand command = new SqlCommand(sql,connection);
command.Parameters.AddWithValue("@ID",id)
command.Parameters.AddWithValue("@Name",name);
SqlDataAdapater sda = new SqlDataAdapter(command);
DataTable dt = new DataTable();
sda.Fill(dt);
return dt;
}
czbbbs 2009-09-22
- 打赏
- 举报
整形 在""外不加 ''。
string变量 在""外加 ''。
例如:
string变量 在""外加 ''。
例如:
string SQL = "select * from table_a where id = "+ intID +" and name = '" + strName + "'";
abcdef1111111 2009-09-22
- 打赏
- 举报
string str="abcdef";
string sqlstr="select * from 表名 where 字段名='"+str+"'";
ivws_19 2009-09-22
- 打赏
- 举报
了解SQL的常用写法和c#的字符串操作就知道了
huming_h 2009-09-22
- 打赏
- 举报
引用楼上的,稍加修改
String Str1 = "zhongguo";
int iage = 30;
String StrSQL = string.Format("SELECT * FROM TABLEA WHERE FIELD1 = '{0}' AND Age ={1}",Str1,iage);
String Str1 = "zhongguo";
int iage = 30;
String StrSQL = string.Format("SELECT * FROM TABLEA WHERE FIELD1 = '{0}' AND Age ={1}",Str1,iage);
mjp1234airen4385 2009-09-22
- 打赏
- 举报
String Str1 = "zhongguo";
int iage = 30;
String StrSQL = "SELECT * FROM TABLEA WHERE FIELD1 = '" + Str1 + "' AND Age = " + iage.ToString();
int iage = 30;
String StrSQL = "SELECT * FROM TABLEA WHERE FIELD1 = '" + Str1 + "' AND Age = " + iage.ToString();
风之影子 2009-09-22
- 打赏
- 举报
整形直接相加
如下:
string变量需单引号引用
如下:
如下:
select * from testtable [id]="+ this.txtEname.Text.Trim()string变量需单引号引用
如下:
select * from testtable [name]='" + this.txtEname.Text.Trim() + "'"
lqahnh 2009-09-22
- 打赏
- 举报
可以都转换为string类型的。
liujintaozyc 2009-09-22
- 打赏
- 举报
String.Format()可以试试
cloudwalf 2009-09-22
- 打赏
- 举报
还是用String.Format好,避免SQL注入
mashi321323 2009-09-22
- 打赏
- 举报
string name="nameString";
string sql=string.format("select * from tableName where uName=?",name);
string sql=string.format("select * from tableName where uName=?",name);
yzk2008 2009-09-22
- 打赏
- 举报
用参数。。任何类型都一样,只样将DbType设置与数据库字段类型相对应的就OK了,如下:
string sqlCommand = @"update TZ_SHORTFILL_MAIN SET stuNumber=:stuNumber
where systemid=:systemid ";
DbCommand dbCommand = db.GetSqlStringCommand(sqlCommand);
DbParameter key_dbPara_systemid = dbCommand.CreateParameter();
key_dbPara_systemid.ParameterName = ":systemid";
key_dbPara_systemid.Value = systemid;
key_dbPara_systemid.DbType = DbType.AnsiString;
dbCommand.Parameters.Add(key_dbPara_systemid);
DbParameter key_dbPara_stunumber = dbCommand.CreateParameter();
key_dbPara_stunumber.ParameterName = ":stuNumber";
key_dbPara_stunumber.Value = stuNumber;
key_dbPara_stunumber.DbType = DbType.int32;
dbCommand.Parameters.Add(key_dbPara_stunumber);
int rows = db.ExecuteNonQuery(dbCommand, ts);
return rows;
string sqlCommand = @"update TZ_SHORTFILL_MAIN SET stuNumber=:stuNumber
where systemid=:systemid ";
DbCommand dbCommand = db.GetSqlStringCommand(sqlCommand);
DbParameter key_dbPara_systemid = dbCommand.CreateParameter();
key_dbPara_systemid.ParameterName = ":systemid";
key_dbPara_systemid.Value = systemid;
key_dbPara_systemid.DbType = DbType.AnsiString;
dbCommand.Parameters.Add(key_dbPara_systemid);
DbParameter key_dbPara_stunumber = dbCommand.CreateParameter();
key_dbPara_stunumber.ParameterName = ":stuNumber";
key_dbPara_stunumber.Value = stuNumber;
key_dbPara_stunumber.DbType = DbType.int32;
dbCommand.Parameters.Add(key_dbPara_stunumber);
int rows = db.ExecuteNonQuery(dbCommand, ts);
return rows;
