似乎我是个白痴,试图在C#中对SQL数据库执行简单的查询。 这是查询,我正在尝试执行:
_query = "SELECT PC.SN, User.Name + ' ' + User.Family as AssignedTo " +
"FROM PC LEFT JOIN Users ON PC.USERID = Users.ID " +
"WHERE PC.Type = '" + AssetTypeCB.SelectedItem.ToString() + "'";
问题是我得到了一个"无法在nvarchar上调用方法"错误信息。 你知道这可能是什么问题吗?
答案 0 :(得分:7)
您的查询似乎有误。您需要将User.Name更改为Users.Name等。正确的查询是:
_query = "SELECT PC.SN, Users.Name + ' ' + Users.Family as AssignedTo " +
"FROM PC LEFT JOIN Users ON PC.USERID = Users.ID " +
"WHERE PC.Type = '" + AssetTypeCB.SelectedItem.ToString() + "'";
另外,请允许我建议对代码使用参数化查询。 This可以告诉你为什么要这样做。
答案 1 :(得分:0)
我认为最好在查询中添加参数
using System;
using System.Data;
using System.Data.SqlClient;
class ParamDemo
{
static void Main()
{
// conn and reader declared outside try
// block for visibility in finally block
SqlConnection conn = null;
SqlDataReader reader = null;
string inputCity = "London";
try
{
// instantiate and open connection
conn = new
SqlConnection("Server=(local);DataBase=Northwind;Integrated Security=SSPI");
conn.Open();
// don't ever do this
// SqlCommand cmd = new SqlCommand(
// "select * from Customers where city = '" + inputCity + "'";
// 1. declare command object with parameter
SqlCommand cmd = new SqlCommand(
"select * from Customers where city = @City", conn);
// 2. define parameters used in command object
SqlParameter param = new SqlParameter();
param.ParameterName = "@City";
param.Value = inputCity;
// 3. add new parameter to command object
cmd.Parameters.Add(param);
// get data stream
reader = cmd.ExecuteReader();
// write each record
while(reader.Read())
{
Console.WriteLine("{0}, {1}",
reader["CompanyName"],
reader["ContactName"]);
}
}
finally
{
// close reader
if (reader != null)
{
reader.Close();
}
// close connection
if (conn != null)
{
conn.Close();
}
}
}
}
答案 2 :(得分:0)
此查询会向您显示SQL注入攻击。 Yous应该将其转换为预准备语句,但实际错误来自您使用表名Users。你有SELECT ... 用户应该是用户,你没有得到错误的列名错误的原因是因为User是一个保留的关键字,因此SQL Server会给你那个特定的错误,除非你用[]分隔表名。以下代码应该修复它。
string _query = "SELECT PC.SN, Users.Name + ' ' + Users.Family as AssignedTo FROM PC LEFT JOIN Users ON PC.USERID = Users.ID WHERE PC.Type = @Type";
SqlConnection conn = new SqlConnection("YOUR_CONNECTION_STRING");
SqlCommand cmd = new SqlCommand(_query, connection);
cmd.Parameters.AddWithValue("Type", AssetTypeCB.SelectedItem.Value);
DataTable dt = new DataTable();
SqlDataAdapter adp = new SqlDataAdapter(cmd);
adp.Fill(dt);
如果您的表名实际上是User,则此代码将修复错误
string _query = "SELECT PC.SN, [User].Name + ' ' + [User].Family as AssignedTo FROM PC LEFT JOIN [User] ON PC.USERID = [User].ID WHERE PC.Type = @Type";
SqlConnection conn = new SqlConnection("YOUR_CONNECTION_STRING");
SqlCommand cmd = new SqlCommand(_query, connection);
cmd.Parameters.AddWithValue("Type", AssetTypeCB.SelectedItem.ToString());
DataTable dt = new DataTable();
SqlDataAdapter adp = new SqlDataAdapter(cmd);
adp.Fill(dt);
有关SQL注入攻击的更多信息
假设smooene在原始陈述中输入以下值。
'; DELETE FROM Users; --
执行SQL语句时,SQL Server会将其解释为:
SELECT PC.SN, User.Name + ' ' + User.Family as AssignedTo
FROM PC LEFT JOIN Users ON PC.USERID = Users.ID
WHERE PC.Type = ''; DELETE FROM Users; --'
此语句完全有效,并且根据您的用户拥有的权限级别,这可能会删除Users表中的所有记录。使用准备好的语句 help 来阻止这种情况发生。