我正在尝试从textbox文本中获取匹配的数据库属性,并在GridView中显示相关的数据库。我在这里做错了什么?
protected void btnsearch_Click(object sender, EventArgs e)
{
string q = "Select * from facultyreg where fname ='"+txtsearch.Text.ToString() + "'";
sda = new SqlDataAdapter(q, con);
ds = new DataSet();
sda.Fill(ds, "facultyreg");
GridView2.DataSource = null;
//GridView2.DataBind();
GridView2.DataSource=ds.Tables[0];
/* cmd = new SqlCommand(q,con);
if (sdr.HasRows && sdr != null)
{
sdr.Read();
}*/
}
答案 0 :(得分:1)
你没有绑定你的gridview使用像这样的东西
protected void btnsearch_Click(object sender, EventArgs e)
{
string q = "Select * from facultyreg where fname ='"+txtsearch.Text.ToString() + "'";
sda = new SqlDataAdapter(q, con);
ds = new DataSet();
sda.Fill(ds);
GridView2.DataSource = ds;
GridView2.DataBind();
/* cmd = new SqlCommand(q,con);
if (sdr.HasRows && sdr != null)
{
sdr.Read();
}*/
}
正如pravpab所说,不要使用参数化查询来避免sql注入(即,直接在查询中连接文本框)。
答案 1 :(得分:1)
您可以轻松地将gridview与SqlInjection和参数化查询绑定在一起。
protected void btnsearch_Click(object sender, EventArgs e)
{
var searchresult = SqlInjection(txtsearch.Text.ToString());
var dt = GetData(searchresult);
if(dt != null)
{
GridView2.DataSource= dt;
GridView2.DataBind();
}
}
private DataTable GetData(string searchvalue)
{
using (var dataset = new DataSet())
{
dataset.Locale = CultureInfo.InvariantCulture;
using (var connection = new SqlConnection("Your connection string"))
{
using (var sqlCommand = new SqlCommand("write your store procedure name here", connection))
{
sqlCommand.Parameters.AddWithValue("parameter name from store procedure", searchvalue);
sqlCommand.CommandType = CommandType.StoredProcedure;
sqlCommand.CommandTimeout = 180;
using (var sqlDataAdapter = new SqlDataAdapter(sqlCommand))
{
dataset.Reset();
sqlDataAdapter.Fill(dataset);
sqlCommand.Connection.Close();
}
}
}
return dataset.Tables[0];
}
}
private static string SqlInjection(string stringValue)
{
if (null == stringValue)
{
return null;
}
enter code here
return stringValue
.RegexReplace("-{2,}", "-") // transforms multiple --- in - use to comment in sql scripts
.RegexReplace(@"(;|\s)(exec|execute|select|insert|update|delete|create|alter|drop|rename|truncate|backup|restore)\s", string.Empty, RegexOptions.IgnoreCase);
}
答案 2 :(得分:1)
试试这个
Partial Class _Default 继承System.Web.UI.Page
Protected Sub Page_Load(sender As Object, e As System.EventArgs) Handles Me.Load
End Sub
Protected Sub BindGrid(searchText As String)
Dim connection As New OleDbConnection("myconnection")
Dim cmd As New OleDbCommand
Dim sql As String = "SELECT * FROM OPENQUERY([xxxx.NET\CSI], 'SELECT * FROM SReader.table1 WHERE CurrentCostCenter IN(''27177'') ')"
cmd.Parameters.AddWithValue("@CurrentCostCenter", searchText)
Dim dt As New DataTable()
Dim ad As New OleDbDataAdapter(cmd)
ad.Fill(dt)
If dt.Rows.Count > 0 Then
'check if the query returns any data
GridView1.DataSource = dt
GridView1.DataBind()
'No records found
Else
End If
End Sub
Protected Sub Button1_Click(sender As Object, e As EventArgs)
BindGrid(TextBox1.Text.Trim())
End Sub
http://www.mikesdotnetting.com/Article/116/Parameterized-IN-clauses-with-ADO.NET-and-LINQ