62,046
社区成员
发帖
与我相关
我的任务
分享在创建和初始化数据适配器时怎么向sql语句传递参数啊?
比如说在以下代码怎样才可以让参数传到sql语句并正确执行
string sql="select userid,pwd from tbuser where userid=TextBox1.text";
SqlDataAdapter da=new SqlDataAdapter();
da.SelectCommand=new SqlCommand(sql,Conn);
DataSet ds=new DataSet();
da.Fill(ds,"User");
在vb中可以在sql语句中这样写,但是现在好像不行,请教高手,要想把textbox的值传进去该怎么改写这段程序?
string sql="select userid,pwd from tbuser where userid=TextBox1.text";
SqlDataAdapter da=new SqlDataAdapter();
da.SelectCommand=new SqlCommand(sql,Conn);
DataSet ds=new DataSet();
da.Fill(ds,"User");
在vb中可以在sql语句中这样写,但是现在好像不行,请教高手,要想把textbox的值传进去该怎么改写这段程序?
...全文
请发表友善的回复…
发表回复
liq1979 2003-08-20
- 打赏
- 举报
string sql="select userid,pwd from tbuser where userid = " + TextBox1.text;
saucer 2003-08-20
- 打赏
- 举报
what is the datatype for userid? if it is an integer, try (bad, it is subject to SQL injection attack):
string sql="select userid,pwd from tbuser where userid=" + TextBox1.Text;
SqlDataAdapter da=new SqlDataAdapter();
da.SelectCommand=new SqlCommand(sql,Conn);
or a better way:
string sql="select userid,pwd from tbuser where userid=@userid";
SqlDataAdapter da=new SqlDataAdapter();
da.SelectCommand=new SqlCommand(sql,Conn);
da.SelectCommand.Parameters.Add("@userid", Convert.ToInt32(TextBox1.Text));
....
string sql="select userid,pwd from tbuser where userid=" + TextBox1.Text;
SqlDataAdapter da=new SqlDataAdapter();
da.SelectCommand=new SqlCommand(sql,Conn);
or a better way:
string sql="select userid,pwd from tbuser where userid=@userid";
SqlDataAdapter da=new SqlDataAdapter();
da.SelectCommand=new SqlCommand(sql,Conn);
da.SelectCommand.Parameters.Add("@userid", Convert.ToInt32(TextBox1.Text));
....
