无法按预期从数据库检索值.需要正确的查询才能得到答案
本文关键字:查询 答案 检索 数据库 | 更新日期: 2023-09-27 18:08:11
有四个文本框,用户在其中输入值,并根据值结果显示在gridview中。
问题是当用户离开某个文本框时,结果只基于其他三个文本框显示。但我的问题在这里不起作用。我在这里遇到了问题。
protected void LoadGridData5()
{
try
{
GridView1.Visible = false;
con.Open();
string ID = IDTEXT.Text;
string ROLE = DropDownList2.SelectedValue.ToString();
string str = TextBox1.Text.ToString();
cmd.Parameters.Add("@ID", SqlDbType.Int).Value = ID;
cmd.Parameters.Add("@NAME", SqlDbType.NVarChar).Value =str;
cmd.Parameters.Add("@ROLE", SqlDbType.VarChar).Value =ROLE;
cmd.Parameters.Add("@DOB", SqlDbType.DateTime).Value =DOBTEXT.Text;
SqlCommand cmd = new SqlCommand("SP_OPERATORS", con);
cmd.CommandType = CommandType.StoredProcedure;
SqlDataAdapter da = new SqlDataAdapter(cmd);
DataSet ds = new DataSet();
da.Fill(ds, "OPERATOR");
cmd.ExecuteNonQuery();
//GridView1.DataSource = ds;
//GridView1.DataBind();
//con.Close();
if (ds.Tables[0].Rows.Count > 0)
{
GridView1.DataSource = ds;
GridView1.DataBind();
}
else
{
ds.Tables[0].Rows.Add(ds.Tables[0].NewRow());
GridView1.DataSource = ds;
GridView1.DataBind();
int columncount = GridView1.Rows[0].Cells.Count;
GridView1.Rows[0].Cells.Clear();
GridView1.Rows[0].Cells.Add(new TableCell());
GridView1.Rows[0].Cells[0].ColumnSpan = columncount;
GridView1.Rows[0].Cells[0].Text = "No Records Found";
}
}
catch
{
//Response.Redirect("Error.aspx");
}
finally
{
con.Close();
}
}
存储过程
CREATE PROCEDURE SP_OPERATORS
@ID INT,
@NAME NVARCHAR(50),
@DOB DATETIME,
@ROLE VARCHAR(50)
AS
Set NoCount ON
Declare @SQLQuery AS NVarchar(4000)
Declare @ParamDefinition AS NVarchar(2000)
Set @SQLQuery = 'Select * From [OPERATOR] where (1=1) '
If @NAME Is Not Null
Set @SQLQuery = @SQLQuery + ' And (NAME LIKE '''+ '%' + @NAME + '%' + ''')'
If @ID Is Not Null
Set @SQLQuery = @SQLQuery + ' And (ID=@ID)'
If @DOB Is Not Null
Set @SQLQuery = @SQLQuery + ' And (DOB=@DOB)'
If @ROLE Is Not Null
Set @SQLQuery = @SQLQuery + ' And (ROLE=@ROLE)'
If (@NAME Is Not Null) AND (@DOB Is Not Null )
Set @SQLQuery = @SQLQuery + ' And (NAME LIKE '''+ '%' + @NAME + '%' + ''')'+'And (DOB=@DOB)'
If (@NAME Is Not Null) AND (@ROLE Is Not Null )
Set @SQLQuery = @SQLQuery + ' And (NAME LIKE '''+ '%' + @NAME + '%' + ''')'+' And (ROLE=@ROLE)'
If (@DOB Is Not Null) AND (@ID Is Not Null )
Set @SQLQuery = @SQLQuery + ' And (DOB=@DOB)'+' And (ID=@ID)'
If (@ROLE Is Not Null) AND (@ID Is Not Null )
Set @SQLQuery = @SQLQuery + ' And (ROLE=@ROLE)'+' And (ID=@ID)'
If (@ROLE Is Not Null) AND (@DOB Is Not Null )
Set @SQLQuery = @SQLQuery + ' And (DOB=@DOB)'+' And (ROLE=@ROLE)'
If (@NAME Is Not Null) AND (@ID Is Not Null ) AND (@ROLE Is Not Null )
Set @SQLQuery = @SQLQuery + ' And (NAME LIKE '''+ '%' + @NAME + '%' + ''')'+' And (ID=@ID)'+ ' And (ROLE=@ROLE)'
If (@NAME Is Not Null) AND (@ID Is Not Null ) AND (@DOB Is Not Null )
Set @SQLQuery = @SQLQuery + ' And (NAME LIKE '''+ '%' + @NAME + '%' + ''')'+' And (ID=@ID)'+ ' And (DOB=@DOB)'
If (@ROLE Is Not Null) AND (@ID Is Not Null ) AND (@DOB Is Not Null )
Set @SQLQuery = @SQLQuery + ' And (ROLE=@ROLE)'+' And (ID=@ID)'+ ' And (DOB=@DOB)'
If (@NAME Is Not Null) AND (@ID Is Not Null ) AND (@DOB Is Not Null ) AND (@ROLE Is Not Null)
Set @SQLQuery = @SQLQuery + ' And (NAME LIKE '''+ '%' + @NAME + '%' + ''')'+' And (ID=@ID)'+ ' And (ROLE=@ROLE)' + ' And (DOB=@DOB)'
Set @ParamDefinition =
' @ID INT,
@NAME NVARCHAR(50),
@DOB DATETIME,
@ROLE VARCHAR(50)'
Execute sp_Executesql @SQLQuery,
@ParamDefinition,
@ID,
@NAME,
@ROLE,
@DOB
If @@ERROR <> 0 GoTo ErrorHandler
Set NoCount OFF
Return(0)
ErrorHandler:
Return(@@ERROR)
GO
对data . fill (ds)的调用将执行查询,不需要额外的cmd。执行查询
为了您自己的利益,请将您用于查询的构造字符串切换为对存储过程的调用,或者切换为参数化查询。如果有人在这些文本框中输入恶意值,就会对SQL注入敞开大门。有更多的细节在这里(http://www.techrepublic.com/article/shorten-development-time-by-using-parameterized-queries-in-adonet/)和这里(https://msdn.microsoft.com/en-us/library/bbw6zyha(v=vs.110).aspx)
也不是很清楚你想用查询做什么。目前,它将尝试匹配您指定的所有参数,因为您在每个谓词之间使用' and '。如果您试图进行搜索,您可能希望其中一些是"or",或者您可能希望仅添加提供值的谓词。例如,目前,如果您将ID文本框留空,则只会返回OPERATOR的ID为空的结果,这听起来不像您的意图。