最大限度地减少条件数量

时间:2014-10-16 08:30:38

标签: c# asp.net sql-server 

protected void Button_Click(object sender, EventArgs e)
{
    string name = this.name.Text;
    string age = this.age.Text;
    string state = this.state.Text;
    string classes = this.classes.Text;

    string query = "select StudentInfoId, Name, Age, State, tbl2.ClassName from tblstudentinfo tbl1 join Class tbl2 on (tbl1.class = tbl2.classid)";

    if (name != "" || age != "" || state != "" || classes != "")
    {
        query += " where";
    }

    if (name != "")
    {
        query = query + " name = '" + name + "' " ;
    }

    if (age != "")
    {
        if (name != "")
        {
            query = query + " and age = '" + age + "' ";
        }
        else
        {
            query = query + " age = '" + age + "' ";
        }
    }

    if (state != "")
    {
        if (name != "" || age != "")
        {
            query = query + " and state = '" + state + "' ";
        }
        else
        {
            query = query + " state = '" + state + "' ";
        }
    }

    if (classes != "")
    {
        if (name != "" || age != "" || state != "")
        {
            query = query + " and class = '" + classes + "' ";
        }
        else
        {
            query = query + " class = '" + classes + "' ";
        }
    }
    BindData(query);
}


private void BindData(string query)
{
    SqlDataAdapter da = new SqlDataAdapter(query, conn);
    DataSet ds = new DataSet();
    da.Fill(ds);
    GridView1.DataSource = ds;
    GridView1.DataBind();
}

2 个答案:

答案 0 :(得分:4)

实际上你正试图优化错误的东西。您不应该使用字符串连接来添加列和值。您很容易受到sql注入攻击,并且还将所有数据类型视为字符串,这可能会导致其他问题。

相反,你应该使用sql-parameters。这是一个例子:

string query = @"SELECT StudentInfoId, Name, Age, State, tbl2.ClassName 
                 FROM   tblstudentinfo tbl1 
                 INNER JOIN Class tbl2 ON (tbl1.class = tbl2.classid)
                 WHERE (@name IS NULL OR name = @name)
                 AND   (@age IS NULL OR age = @age)
                 AND   (@state IS NULL OR state = @state)
                 AND   (@classes IS NULL OR classes = @classes)";

DataTable table = new DataTable();
using(var conn = new SqlConnection(" ... "))
using(var da = new SqlDataAdapter(query, conn))
{
    var parameters = da.SelectCommand.Parameters;
    var p = new SqlParameter("@name", SqlDbType.NVarChar);
    if(!string.IsNullOrWhiteSpace(this.name.Text))
        p.Value = this.name.Text.Trim();
    else
        p.Value = DBNull.Value;
    parameters.Add(p);

    p = new SqlParameter("@age", SqlDbType.Int);
    int age;
    if(int.TryParse(this.age.Text, out age))
        p.Value = age;
    else
        p.Value = DBNull.Value;
    parameters.Add(p);

    // ...

    da.Fill(table);
}

GridView1.DataSource = table;
GridView1.DataBind();

答案 1 :(得分:0)

尝试以下方法。我刚刚将其中1 = 1 添加到默认查询中,因此在添加查询的其他部分时,您始终需要

string query = "select StudentInfoId, Name, Age, State, tbl2.ClassName from tblstudentinfo tbl1 join Class tbl2 on (tbl1.class = tbl2.classid) where 1=1 ";


    if (name != "")
    {
        query = query + " and name = '" + name + "' " ;
    }

    if (age != "")
    {
         query = query + " and age = '" + age + "' ";
    }

    if (state != "")
    {
          query = query + " and state = '" + state + "' ";
    }

    if (classes != "")
    {
          query = query + " and class = '" + classes + "' ";
    }
相关问题
最新问题