Visual c#在SQL WHERE子句中使用变量时出现异常
本文关键字:变量 异常 SQL WHERE 子句 Visual | 更新日期: 2023-09-27 18:02:15
我目前使用c#在visual studio和我使用访问数据库。当客户从列表框中选择时,我试图从数据库中带回数据。当sql硬编码为
时,这可以完美地工作。command.CommandText = "SELECT * FROM Customers WHERE CustomerID = 2 ";
然而,当我试图使用字符串变量来存储所选的用户ID时,我在
上收到"标准表达式中的数据类型不匹配"。"OleDbDataReader reader = command.ExecuteReader();".
我已经使用消息框来确认s2变量在选择时包含正确的ID,因此我不确定问题所在。
有谁知道这个问题的解决方法吗? private void lst_disp_SelectedIndexChanged(object sender, EventArgs e)
{
String s = (String)lst_disp.SelectedItem; // the s string contains the selected customers ID + name,
string s2 = s.Split(' ').FirstOrDefault(); // by spliting we can gain only the ID and store in s2
MessageBox.Show("Selected " + s2);
showCust(s2);
}
private void showCust(string s2)
{
dataGridView1.AllowUserToAddRows = false;
dataGridView1.Columns.Add("CustomerID", "Customer ID");
dataGridView1.Columns.Add("CustomerName", "Customer Name");
dataGridView1.Columns.Add("Description", "Description");
dataGridView1.Columns.Add("Email", "Email");
dataGridView1.Columns.Add("Telephone", "Telephone");
dataGridView1.Columns.Add("DeliveryAddress", "Delivery Address");
dataGridView1.Columns.Add("Notes", "Notes");
OleDbConnection connect = new OleDbConnection();
connect.ConnectionString = @"Provider=Microsoft.ACE.OLEDB.12.0;Data Source=E:'Uni'Year 3'Final Year Project'independent foods'coding'showCustomers'Database1.accdb;Persist Security Info=False";
connect.Open();
MessageBox.Show("Connection open");
OleDbCommand command = new OleDbCommand();
command.Connection = connect;
MessageBox.Show("SELECT * FROM Customers WHERE CustomerID = '" + s2 + "' ");
command.CommandText = "SELECT * FROM Customers WHERE CustomerID = '" + s2 + "' ";
try
{
OleDbDataReader reader = command.ExecuteReader();
while (reader.Read())
{
dataGridView1.Rows[dataGridView1.Rows.Count - 1].Cells["CustomerID"].Value = reader[0].ToString();
dataGridView1.Rows[dataGridView1.Rows.Count - 1].Cells["CustomerName"].Value = reader[1].ToString();
dataGridView1.Rows[dataGridView1.Rows.Count - 1].Cells["Description"].Value = reader[2].ToString();
dataGridView1.Rows[dataGridView1.Rows.Count - 1].Cells["Email"].Value = reader[3].ToString();
dataGridView1.Rows[dataGridView1.Rows.Count - 1].Cells["Telephone"].Value = reader[4].ToString();
dataGridView1.Rows[dataGridView1.Rows.Count - 1].Cells["DeliveryAddress"].Value = reader[5].ToString();
dataGridView1.Rows[dataGridView1.Rows.Count - 1].Cells["Notes"].Value = reader[6].ToString();
}
}
catch(Exception e)
{
MessageBox.Show("The File cann't be read. Error: " + e.Message);
}
}
去掉单引号,看起来这个列是整型的
command.CommandText = "SELECT * FROM Customers WHERE CustomerID = " + s2;
为了更好地防止sql注入(类似于这样),您还应该将其参数化:
SqlParameter custID = new SqlParameter("custID",s2);
command.Parameters.Add(custID);
command.CommandText = "SELECT * FROM Customers WHERE CustomerID = @custID";
看看这篇文章,或者做一个简单的搜索参数化你的查询。
一个简单的Google演示如何使用参数MSDN
这是因为当你这样参数化它时,结果查询是不一样的。
在原始的硬编码语句中,有
SELECT * FROM Customers WHERE CustomerID = 2
在你的新语句中你以
结束SELECT * FROM Customers WHERE CustomerID = '2'
CustomerID是一个整型,但是你在第二个例子中试图将它与字符串进行比较。
试试这行代码:
command.CommandText = "SELECT * FROM Customers WHERE CustomerID = " + s2;
我去掉了单引号。
Mike C说得很好。您应该将其参数化,以获得更高的可靠性。