Question

我正在进行大查询，因为我重复使用相同的select语句4次，所以在这里，我想将一些慢查询结果设置为变量'var_sql'，所以我可以再次使用它们其他疑问。

例如：

string var_sql = "select Session_Id from sessions where UserId='" 
                 + Session["userid"].ToString() + "'";

SqlCommand command 
= new SqlCommand("Select distinct right(start_time,7) as st_time,   right(end_time,7) as ed_time from Session_Info where CourseName = '" 
+ coursename.SelectedValue 
+ "' and Session_Id not in (select Session_Id from sessions where   UserId='" 
+ Session["userid"].ToString() + "') and start_time not in (select start_time from   Session_Info where Convert(varchar,start_time, 108) between (select right(start_time,7) from   Session_Info where Session_Id in (var_sql )) and  (select right(dateadd(minute,-1,end_time),7) from Session_Info where Session_Id in (var_sql ))) and end_time not in (select end_time from Session_Info where Convert(varchar,end_time, 108) between (select right(dateadd(minute,+1,start_time),7) from Session_Info where Session_Id in   (var_sql )) and  (select right(end_time,7) from Session_Info where Session_Id in (var_sql ))) ", 
connection);

看到我在四个地方使用相同的var_sql ..在这里我试过这样但是它没有正常工作..有人可以帮我吗？

Answer 1

您不应使用字符串连接来创建查询，因为它很容易进行SQL注入（see explanation）。另请查看this，以便下次不要忘记它。有趣的事情比任何事情都要好。

除此之外，您应该完全重新设计查询并使用SqlParameter来形成命令。查看如何使用参数here。

using (SqlCommand command = new SqlCommand("SELECT * FROM Dogs1 WHERE Name LIKE @Name", connection))
{
    command.Parameters.Add(new SqlParameter("Name", dogName));
    //...do your stuff with command
}

由于您没有描述要求，因此无法就如何重新设计查询提出建议，但您应该尝试将Session_Id表连接到自身。

修改

这绝对不是正确的做法（参见我以前的评论为什么），但似乎你不想重新设计任何东西。正如我在评论中已经说过的那样，您需要使用双引号（“”）的var_sql 外部，因此var_sql的内容会添加到查询中，而不是名称变量本身。

这里什么都没有：

string var_sql = "select Session_Id from sessions where UserId='" + Session["userid"].ToString() + "'"; SqlCommand command = new SqlCommand("Select distinct right(start_time,7) as st_time, right(end_time,7) as ed_time from Session_Info where CourseName = '" + coursename.SelectedValue + "' and Session_Id not in (select Session_Id from sessions where UserId='" + Session["userid"].ToString() + "') and start_time not in (select start_time from Session_Info where Convert(varchar,start_time, 108) between (select right(start_time,7) from Session_Info where Session_Id in (" + var_sql + " )) and (select right(dateadd(minute,-1,end_time),7) from Session_Info where Session_Id in (" + var_sql + " ))) and end_time not in (select end_time from Session_Info where Convert(varchar,end_time, 108) between (select right(dateadd(minute,+1,start_time),7) from Session_Info where Session_Id in (" + var_sql + " )) and (select right(end_time,7) from Session_Info where Session_Id in (" + var_sql + " ))) ", connection);

Answer 2

我非常感谢所有回复。特别是kaspars Ozols。正如你所说，我重新设计了我的查询并使用了这样的存储过程。

创建程序b_timing

（

@UserId nvarchar(70),
@CourseName varchar(max)
)
as
begin
declare @select_ID varchar(50)    
select @select_ID =  Session_Id from sessions where UserId=@UserId
Select distinct right(start_time,7) as st_time, right(end_time,7) as ed_time from      Session_Info where CourseName = @CourseName and Session_Id not in (@select_ID) and start_time not in (select start_time from Session_Info where Convert(varchar,start_time, 108) between (select right(start_time,7) from Session_Info where Session_Id in (@select_ID)) and  (select right(dateadd(minute,-1,end_time),7) from Session_Info where Session_Id in (@select_ID))) and end_time not in (select end_time from Session_Info where Convert(varchar,end_time, 108) between (select right(dateadd(minute,+1,start_time),7) from Session_Info where Session_Id in (@select_ID)) and  (select right(end_time,7) from Session_Info where Session_Id in (@select_ID)))
end

并在asp.net c＃中调用它，就像这样

SqlConnection connection = new SqlConnection(strcon);
    connection.Open();
 SqlCommand command = new SqlCommand("b_timing", connection);
    command.CommandType = CommandType.StoredProcedure;
    command.Parameters.AddWithValue("@UserId", Session["userid"].ToString());
    command.Parameters.AddWithValue("@CourseName", coursename.SelectedValue);
    SqlDataAdapter da = new SqlDataAdapter(command);
    da.SelectCommand = command;
    DataTable dt = new DataTable();
    da.Fill(dt);
    dt.Columns.Add("timing", typeof(string), "st_time+' '+'To'+' '+ed_time");

    if (dt.Rows.Count > 0)
    {
        timing.DataSource = dt;
        timing.DataTextField = "timing";
        timing.DataValueField = "timing";
        timing.DataBind();
        timing.Items.Insert(0, new ListItem("Choose Batch Timing", "0"));
        timing.Visible = true;
        timing.Focus();
    }

现在工作正常

将select语句赋值给变量并在其他查询中重用asp.net c＃

2 个答案: