不只搜索姓氏

时间:2013-03-23 06:27:34

标签: c# sql

在我的webapp中,我有一个搜索框,以便我可以使用名字或姓氏搜索我的数据库,它将在我的网络应用程序中显示结果。用户输入名字或姓氏。如果搜索名字查询运行正常但如果用户只按姓氏搜索,则表示表中的所有数据都不显示像lastname

这样的数据 
 string sql = @"SELECT opd_id AS [OPD No]
       , opd_date AS DATE
       , opd_dpt AS DEPARTMENT
       , opd_pfname + ' ' + opd_plname AS [Patient NAME]
       , opd_age AS AGE
       , opd_gender AS GENDER
       , opd_mob AS [MOBILE NO]
       , opd_fthrname AS [FATHER NAME]
       , opd_hsbndname AS [HUSBAND NAME]
       FROM tbl_OPD 
        WHERE opd_pfname like'%" + fname + @"%' 
        OR opd_plname like'%" + lname + @"% '
        ORDER BY DATE DESC";

2 个答案:

答案 0 :(得分:2)

中的额外空格 
OR opd_plname like'%" + lname + @"% '

白色空间^

另外,请注意sql injection,您可以使用prepared sql statements和参数绑定修复

答案 1 :(得分:1)

如果没有看到更多代码,可能就是您只填充了fnamelname个变量。假设是这种情况,您可以使用此代码。

// this assumes that you have only have 1 input for both the first name and lastname 
// and are storing it in a variable named searchForName
using (var connection = new SqlConnection("YOUR_CONFIGURATION_CONNECTION_STRING"))
{
    using (var command = new SqlCommand("SELECT opd_id AS [OPD No], opd_date AS DATE, opd_dpt AS DEPARTMENT, opd_pfname + ' ' + opd_plname AS [Patient NAME], opd_age AS AGE, opd_gender AS GENDER, opd_mob AS [MOBILE NO], opd_fthrname AS [FATHER NAME], opd_hsbndname AS [HUSBAND NAME] FROM tbl_OPD WHERE (opd_pfname like @p0 OR opd_plname like @p0) ORDER BY DATE DESC", connection))
    {
        command.Parameters.Add(new SqlParameter("@p0", string.Format("%{0}%", searchForName)));

        // rest of your code here E.G., sComm.ExecuteNonQuery();
    }
}

如果您知道两个变量都已填充,请尝试使用此代码块

using (var connection = new SqlConnection("YOUR_CONFIGURATION_CONNECTION_STRING"))
{
    using (var command = new SqlCommand("SELECT opd_id AS [OPD No], opd_date AS DATE, opd_dpt AS DEPARTMENT, opd_pfname + ' ' + opd_plname AS [Patient NAME], opd_age AS AGE, opd_gender AS GENDER, opd_mob AS [MOBILE NO], opd_fthrname AS [FATHER NAME], opd_hsbndname AS [HUSBAND NAME] FROM tbl_OPD WHERE (opd_pfname like @p0 OR opd_plname like @p1) ORDER BY DATE DESC", connection))
    {
        command.Parameters.Add(new SqlParameter("@p0", string.Format("%{0}%", searchForFirstName)));
        command.Parameters.Add(new SqlParameter("@p1", string.Format("%{0}%", searchForLastName)));

        // rest of your code here E.G., sComm.ExecuteNonQuery();
    }
}

PS。正如其他人所说,这里显示的代码有点不安全,你应该尽一切努力避免Sql Injection攻击。

相关问题
最新问题