我的查询似乎没有在我的代码中响应,但是,在SQL脚本区域中,我的脚本干净地执行。手头的问题必须只是我从查询的其余部分插入变量的方式,例如在末尾添加括号但不能读取。我在.NET Gridview中这样做。任何想法,将不胜感激。如果您需要更多信息,请与我们联系。
SQL(没有问题):
SELECT [TeamID], [TeamName], [SportsType], [ContactName], [ContactPhone], [ContactEmail] FROM [Teams] WHERE CompanyID = (SELECT CompanyID FROM Company WHERE companyadminUserName = 'rec1') OR CompanyID = (SELECT CompanyID FROM Employee WHERE EmployeeBarcodeNumber = 'rec1')
在代码(问题)中:
public String loggedInUser = "rec1";
SqlDataSource1.SelectCommand = "SELECT [TeamID], [TeamName], [SportsType], [ContactName], [ContactPhone], [ContactEmail] FROM [Teams] WHERE CompanyID = (SELECT CompanyID FROM Company WHERE companyadminUserName ="+loggedInUser+") OR CompanyID = (SELECT CompanyID FROM Employee WHERE EmployeeBarcodeNumber ="+loggedInUser+"')'";
答案 0 :(得分:4)
连接像这样的查询可能是一个非常糟糕的安全漏洞。如果您正在编写生产代码,请使用SqlParameters来防止sql注入攻击。使用SqlParameters还意味着您更少有机会遇到与引用相关的错误(例如您拥有的错误)。
How does SQLParameter prevent SQL Injection?
dateString = 2015-06-16 date = (null)答案 1 :(得分:1)
你似乎错过了一些" ' "在代码中构建查询时。
试试这个:
public String loggedInUser = "rec1";
SqlDataSource1.SelectCommand = "SELECT [TeamID], [TeamName], [SportsType], [ContactName], [ContactPhone], [ContactEmail] FROM [Teams] WHERE CompanyID = (SELECT CompanyID FROM Company WHERE companyadminUserName = '"+loggedInUser+"') OR CompanyID = (SELECT CompanyID FROM Employee WHERE EmployeeBarcodeNumber = '"+loggedInUser+"')";
答案 2 :(得分:0)
你的sql命令字符串有问题
SqlDataSource1.SelectCommand = "SELECT [TeamID], [TeamName], [SportsType], [ContactName], [ContactPhone], [ContactEmail] FROM [Teams] WHERE CompanyID = (SELECT CompanyID FROM Company WHERE companyadminUserName = '"+loggedInUser+"') OR CompanyID = (SELECT CompanyID FROM Employee WHERE EmployeeBarcodeNumber = '"+loggedInUser+"')";