我该如何申报cookie

时间:2014-11-09 03:38:54

标签: c# cookies declare

我试图让这段代码工作正常,但我无法,我正在使用cookie,我想根据cookie位置重新绑定我的ListView但我收到错误消息:“必须声明标量变量”@Location “”

protected void Sortcarbtn_Click(object sender, EventArgs e)
    {
        HttpCookie cookie = Request.Cookies.Get("Location");
        using (SqlConnection carcon = new SqlConnection(ConfigurationManager.ConnectionStrings["BeravaConnectionString"].ConnectionString))

            if (cookie != null)
            {
                string CarSqlST = @"SELECT DISTINCT AdsID, Section, Category, Country, Maker, Gear, Condition, Status, State, City, AdsTit, 
                SUBSTRING(AdsDesc,1,155) as AdsDesc, Year, AdsPrice, Img1 From ads Where 1=1 AND Category=@CATE AND Country = @Location ";


                var Location = Convert.ToString(cookie["Location"]);
                var cat = Convert.ToString(Request.QueryString["cat"]);

                string condition = "";

                if (barndcardrlst.SelectedValue != "")
                {
                    condition += " and Maker='" + barndcardrlst.SelectedValue + "'";
                }
                if (GearDrDw.SelectedValue != "")
                {
                    condition += " and Gear='" + GearDrDw.SelectedValue + "'";
                }


                if (carstatedrdolst.SelectedValue != "")
                {
                    condition += " and State='" + carstatedrdolst.SelectedValue + "'";
                }
                if (citiesdrdolst.SelectedValue != "")
                {
                    condition += " and City='" + citiesdrdolst.SelectedValue + "'";
                }


                if (CarCondDrDw.SelectedValue != "")
                {
                    condition += " and Condition='" + CarCondDrDw.SelectedValue + "'";
                }
                if (CarstusDRDL.SelectedValue != "")
                {
                    condition += " and Status='" + CarstusDRDL.SelectedValue + "'";
                }
                if ((CarPriceFrmDrDw.SelectedValue != "") && (CarPriceToDrDw.SelectedValue != ""))
                {
                    condition += " and AdsPrice BETWEEN " + CarPriceFrmDrDw.SelectedValue + " AND " + CarPriceToDrDw.SelectedValue;
                }

                if ((CarYearfrmDrDw.SelectedValue != "") && (CarYeartoDrDw.SelectedValue != ""))
                {
                    condition += " and Year BETWEEN " + CarYearfrmDrDw.SelectedValue + " AND " + CarYeartoDrDw.SelectedValue;
                }


                DataTable cdt = new DataTable();
                carcon.Open();
                SqlCommand ccmd = new SqlCommand();
                ccmd.Connection = carcon;
                ccmd.CommandType = CommandType.Text;
                ccmd.Parameters.AddWithValue("@Country", Location);
                ccmd.Parameters.AddWithValue("@CATE", cat);
                ccmd.CommandText = CarSqlST + condition;
                SqlDataAdapter ad = new SqlDataAdapter();
                ad.SelectCommand = ccmd;

                ad.Fill(cdt);
                cateshowlistview.DataSource = cdt;
                cateshowlistview.DataBind();

            }


    }

1 个答案:

答案 0 :(得分:0)

改变" @ Country"在

ccmd.Parameters.AddWithValue("@Country", Location); 

是" @ Location"

ccmd.Parameters.AddWithValue("@Location", Location); 

您将SQL语句中的国家/地区定义为@Location

string CarSqlST = @" SELECT ... AND Category = @ CATE AND Country = @Location ";

更新

为了防止SQL注入攻击并允许SQL重用查询选项所有将字符串连接在一起的文件管理器,您应该只使用SQL参数。为了方便起见,我创建了一个要添加的参数字典。然后在结束循环通过字典来填写SQL参数。我也把它改成了字符串构建器,因为它可以做很多字符串连接。我没有测试这段代码,因为我没有你的对象或表或连接。

using (var carcon = new SqlConnection(ConfigurationManager.ConnectionStrings["BeravaConnectionString"].ConnectionString)))
{
    if (cookie != null)
    {
        // Parameters for SQL
        var parameters = new Dictionary<string, object>();

        // string builder to build up SQL Statement
        var CarSqlST = new StringBuilder(
            "SELECT DISTINCT AdsID, Section, Category, Country, Maker, Gear, Condition, Status, State, City, AdsTit, " +
            "SUBSTRING(AdsDesc,1,155) as AdsDesc, Year, AdsPrice, Img1 From ads " +
            "Where Category = @pCATE AND Country = @pLocation ");

        parameters.Add("@pCATE", Request.QueryString["cat"].ToString());
        parameters.Add("@pLocation", cookie["Location"]);

        if (barndcardrlst.SelectedValue != "")
        {
            CarSqlST.Append(" and Maker= @pMaker");
            parameters.Add("@pMaker", barndcardrlst.SelectedValue);
        }

        if (GearDrDw.SelectedValue != "")
        {
            CarSqlST.Append(" and Gear= @pGear");
            parameters.Add("@pGear", GearDrDw.SelectedValue);
        }

        if (carstatedrdolst.SelectedValue != "")
        {
            CarSqlST.Append(" and State= @pState");
            parameters.Add("@pState", carstatedrdolst.SelectedValue);
        }

        if (citiesdrdolst.SelectedValue != "")
        {
            CarSqlST.Append(" and State= @pCity");
            parameters.Add("@pCity", citiesdrdolst.SelectedValue);
        }

        if (CarCondDrDw.SelectedValue != "")
        {
            CarSqlST.Append(" and Condition= @pCondition");
            parameters.Add("@pCondition", CarCondDrDw.SelectedValue);
        }

        if (CarstusDRDL.SelectedValue != "")
        {
            CarSqlST.Append(" and Status= @pStatus");
            parameters.Add("@pStatus", CarstusDRDL.SelectedValue);
        }

        if ((CarPriceFrmDrDw.SelectedValue != "") && (CarPriceToDrDw.SelectedValue != ""))
        {
            CarSqlST.Append(" and AdsPrice BETWEEN @pLowPrice AND @pHighPrice");
            parameters.Add("@pLowPrice", CarPriceFrmDrDw.SelectedValue);
            parameters.Add("@pHighPrice", CarPriceToDrDw.SelectedValue);
        }

        if ((CarYearfrmDrDw.SelectedValue != "") && (CarYeartoDrDw.SelectedValue != ""))
        {
            CarSqlST.Append(" and Year BETWEEN @pLowYear AND @pHighYear");
            parameters.Add("@pLowYear", CarYearfrmDrDw.SelectedValue);
            parameters.Add("@pHighYear", CarYeartoDrDw.SelectedValue);

        }

        DataTable cdt = new DataTable();
        SqlCommand ccmd = carcon.CreateCommand();;
        ccmd.CommandType = CommandType.Text;

        // Add all the parameters into this command
        foreach (var parameter in parameters)
        {
            ccmd.Parameters.Add(parameter.Key, parameter.Value);
        }

        // set the command text from string builder
        ccmd.CommandText = CarSqlST.ToString();

        SqlDataAdapter ad = new SqlDataAdapter();
        ad.SelectCommand = ccmd;
    }
}

您可以在顶部创建命令并立即填写sql参数而不是字典,但我更喜欢字典方法以防万一发生 - 异常或我们需要保释我们从未创建过SQL命令。 / p>