按功能搜索过滤器顺序无效

时间:2013-10-02 09:07:29

标签: c# sql

我正在尝试在以下搜索功能中实现ORDER BY功能:

 public DataSet SearchTable()
    {

        string sql1 = "SELECT * from dbo.Documents1 order by Received_Date";

        bool flag = false;

        if (!txtRef.Text.Equals(""))
        {
            if (flag == false)
            {
                sql1 = sql1 + " where Ref LIKE N'%" + txtRef.Text + "%'";
                flag = true;

            }
            else
            {
                sql1 = sql1 + "  and Ref LIKE N'%" + txtRef.Text + "%'";
            }
        }

        if (!txtSubject.Text.Equals(""))
        {
            if (flag == false)
            {
                sql1 = sql1 + " where Subject LIKE N'%" + txtSubject.Text + "%'";
                flag = true;

            }
            else
            {
                sql1 = sql1 + "  and Subject LIKE N'%" + txtSubject.Text + "%'";
            }
        }

我收到以下错误:

Incorrect syntax near the keyword 'where'.

知道怎么解决吗?提前致谢。

3 个答案:

答案 0 :(得分:2)

你在Where之前订购。这不是正确的SQL语法。

尝试以下方式:

public DataSet SearchTable()
    {

        string sql1 = "SELECT * from dbo.Documents1";

        bool flag = false;

        if (!txtRef.Text.Equals(""))
        {
            if (flag == false)
            {
                sql1 = sql1 + " where Ref LIKE N'%" + txtRef.Text + "%'";
                flag = true;

            }
            else
            {
                sql1 = sql1 + "  and Ref LIKE N'%" + txtRef.Text + "%'";
            }
        }

        if (!txtSubject.Text.Equals(""))
        {
            if (flag == false)
            {
                sql1 = sql1 + " where Subject LIKE N'%" + txtSubject.Text + "%'";
                flag = true;

            }
            else
            {
                sql1 = sql1 + "  and Subject LIKE N'%" + txtSubject.Text + "%'";
            }
        }

        sql1 = sql1 + "  order by Received_Date";

答案 1 :(得分:0)

我创建了一个用于返回SQL Query的分离方法。 在返回查询之前,“Order By”子句被取出并附加。 还从第一个块中删除了“else”条件,因为它始终是真的。 

public string GetSQL()
        {

            string sql1 = "SELECT * from dbo.Documents1";

            bool flag = false;

            if (!txtRef.Text.Equals(""))
            {
                sql1 = sql1 + " where Ref LIKE N'%" + txtRef.Text + "%'";
                flag = true;
            }

            if (!txtSubject.Text.Equals(""))
            {
                if (flag == false)
                {
                    sql1 = sql1 + " where Subject LIKE N'%" + txtSubject.Text + "%'";
                    flag = true;

                }
                else
                {
                    sql1 = sql1 + "  and Subject LIKE N'%" + txtSubject.Text + "%'";
                }
            }

            sql1 = sql1 + " order by Received_Date";

            return sql1;
        }

答案 2 :(得分:0)

您拥有的代码容易受到SQL Injection的攻击。<​​/ p>

为避免这种情况,您应尽可能使用SqlParameter。然后代码可能如下所示:

    public DataSet SearchTable()
    {
        string sqlStatement = "SELECT * from dbo.Documents1";
        bool flag = false;

        var reference = "something"; // txtRef.Text
        var subject = "something else"; // txtSubject.Text

        var sqlCommand = new SqlCommand();

        if (!string.IsNullOrWhiteSpace(reference))
        {
            var referenceParameter = new SqlParameter("@referenceParam", SqlDbType.VarChar, 100) { Value = reference };
            sqlCommand.Parameters.Add(referenceParameter);
            sqlStatement += AddWhereLike("Ref", "@referenceParam", flag);
            flag = true;
        }

        if (!string.IsNullOrWhiteSpace(subject))
        {
            var subjectParameter = new SqlParameter("@subjectParam", SqlDbType.VarChar, 100) { Value = reference };
            sqlCommand.Parameters.Add(subjectParameter);
            sqlStatement += AddWhereLike("Subject", "@subjectParam", flag);
            flag = true;
        }

        sqlStatement += " order by Received_Date";

        sqlCommand.CommandText = sqlStatement;

        // do your database reading here
    }

    private static string AddWhereLike(string columnName, string paramId, bool isFirstWhereCondition)
    {
        var whereCondition = isFirstWhereCondition ? " where " : " and " + columnName + "LIKE N'%" + paramId + "%' ";
        return whereCondition;
    }
相关问题
最新问题