我想在这里加入两个表,但最终得到错误" toolid"附近的语法不正确,下面是我正在使用的代码。 toolsoutageid和toolid的值已从其他页面发送 link.NavigateUrl ="〜/ OutageInfo.aspx?outageID =" + outageid +" toolid =" + toolid;
string x = this.Request.QueryString["outageID"];
string y = this.Request.QueryString["toolid"];
SqlConnection con = new SqlConnection(@"xyz");//connection name
con.Open();
SqlCommand cmd = new SqlCommand("select toolname,ErrorDescription,StartTime,EndTime from TransactionDetails,tools where ToolsOutageID=" + x +"and toolid="+y, con);
cmd.CommandType = CommandType.Text;
SqlDataAdapter da = new SqlDataAdapter(cmd);
DataSet ds = new DataSet();
da.Fill(ds);//Here I get the error
GridView1.DataSource = ds.Tables;
GridView1.DataBind();
答案 0 :(得分:0)
在"和"旁边留一个空格在查询字符串
上select toolname,ErrorDescription,StartTime,EndTime from TransactionDetails,tools where ToolsOutageID=" + x +" and toolid="+y
答案 1 :(得分:0)
假设您的参数是字符串,则应使用'
进行字符串压缩。
Assuming that your parameters are string you should use `'` for your string compression.
select
toolname,
ErrorDescription,
StartTime,
EndTime
from
TransactionDetails
where
ToolsOutageID='" + x +"'
and toolid='"+y+"'"
但你应该使用参数化查询代替上面的查询 How do parameterized queries help against SQL injection?
int x = Convert.ToInt32(this.Request.QueryString["outageID"]);
int y = Convert.ToInt32(this.Request.QueryString["toolid"]);
select
toolname,
ErrorDescription,
StartTime,
EndTime
from
TransactionDetails
where
ToolsOutageID=" + x +"
and toolid="+y