有四个文本框,用户在其中输入值,并根据值在gridview中显示结果。
问题是当用户离开某个文本框时,结果只显示基于其他三个文本框。但我的查询在这里不起作用。我在这里遇到问题。
protected void LoadGridData5()
{
try
{
GridView1.Visible = false;
con.Open();
string ID = IDTEXT.Text;
string ROLE = DropDownList2.SelectedValue.ToString();
string str = TextBox1.Text.ToString();
cmd.Parameters.Add("@ID", SqlDbType.Int).Value = ID;
cmd.Parameters.Add("@NAME", SqlDbType.NVarChar).Value =str;
cmd.Parameters.Add("@ROLE", SqlDbType.VarChar).Value =ROLE;
cmd.Parameters.Add("@DOB", SqlDbType.DateTime).Value =DOBTEXT.Text;
SqlCommand cmd = new SqlCommand("SP_OPERATORS", con);
cmd.CommandType = CommandType.StoredProcedure;
SqlDataAdapter da = new SqlDataAdapter(cmd);
DataSet ds = new DataSet();
da.Fill(ds, "OPERATOR");
cmd.ExecuteNonQuery();
//GridView1.DataSource = ds;
//GridView1.DataBind();
//con.Close();
if (ds.Tables[0].Rows.Count > 0)
{
GridView1.DataSource = ds;
GridView1.DataBind();
}
else
{
ds.Tables[0].Rows.Add(ds.Tables[0].NewRow());
GridView1.DataSource = ds;
GridView1.DataBind();
int columncount = GridView1.Rows[0].Cells.Count;
GridView1.Rows[0].Cells.Clear();
GridView1.Rows[0].Cells.Add(new TableCell());
GridView1.Rows[0].Cells[0].ColumnSpan = columncount;
GridView1.Rows[0].Cells[0].Text = "No Records Found";
}
}
catch
{
//Response.Redirect("Error.aspx");
}
finally
{
con.Close();
}
}
这是存储的procudure
CREATE PROCEDURE SP_OPERATORS
@ID INT,
@NAME NVARCHAR(50),
@DOB DATETIME,
@ROLE VARCHAR(50)
AS
Set NoCount ON
Declare @SQLQuery AS NVarchar(4000)
Declare @ParamDefinition AS NVarchar(2000)
Set @SQLQuery = 'Select * From [OPERATOR] where (1=1) '
If @NAME Is Not Null
Set @SQLQuery = @SQLQuery + ' And (NAME LIKE '''+ '%' + @NAME + '%' + ''')'
If @ID Is Not Null
Set @SQLQuery = @SQLQuery + ' And (ID=@ID)'
If @DOB Is Not Null
Set @SQLQuery = @SQLQuery + ' And (DOB=@DOB)'
If @ROLE Is Not Null
Set @SQLQuery = @SQLQuery + ' And (ROLE=@ROLE)'
If (@NAME Is Not Null) AND (@DOB Is Not Null )
Set @SQLQuery = @SQLQuery + ' And (NAME LIKE '''+ '%' + @NAME + '%' + ''')'+'And (DOB=@DOB)'
If (@NAME Is Not Null) AND (@ROLE Is Not Null )
Set @SQLQuery = @SQLQuery + ' And (NAME LIKE '''+ '%' + @NAME + '%' + ''')'+' And (ROLE=@ROLE)'
If (@DOB Is Not Null) AND (@ID Is Not Null )
Set @SQLQuery = @SQLQuery + ' And (DOB=@DOB)'+' And (ID=@ID)'
If (@ROLE Is Not Null) AND (@ID Is Not Null )
Set @SQLQuery = @SQLQuery + ' And (ROLE=@ROLE)'+' And (ID=@ID)'
If (@ROLE Is Not Null) AND (@DOB Is Not Null )
Set @SQLQuery = @SQLQuery + ' And (DOB=@DOB)'+' And (ROLE=@ROLE)'
If (@NAME Is Not Null) AND (@ID Is Not Null ) AND (@ROLE Is Not Null )
Set @SQLQuery = @SQLQuery + ' And (NAME LIKE '''+ '%' + @NAME + '%' + ''')'+' And (ID=@ID)'+ ' And (ROLE=@ROLE)'
If (@NAME Is Not Null) AND (@ID Is Not Null ) AND (@DOB Is Not Null )
Set @SQLQuery = @SQLQuery + ' And (NAME LIKE '''+ '%' + @NAME + '%' + ''')'+' And (ID=@ID)'+ ' And (DOB=@DOB)'
If (@ROLE Is Not Null) AND (@ID Is Not Null ) AND (@DOB Is Not Null )
Set @SQLQuery = @SQLQuery + ' And (ROLE=@ROLE)'+' And (ID=@ID)'+ ' And (DOB=@DOB)'
If (@NAME Is Not Null) AND (@ID Is Not Null ) AND (@DOB Is Not Null ) AND (@ROLE Is Not Null)
Set @SQLQuery = @SQLQuery + ' And (NAME LIKE '''+ '%' + @NAME + '%' + ''')'+' And (ID=@ID)'+ ' And (ROLE=@ROLE)' + ' And (DOB=@DOB)'
Set @ParamDefinition =
' @ID INT,
@NAME NVARCHAR(50),
@DOB DATETIME,
@ROLE VARCHAR(50)'
Execute sp_Executesql @SQLQuery,
@ParamDefinition,
@ID,
@NAME,
@ROLE,
@DOB
If @@ERROR <> 0 GoTo ErrorHandler
Set NoCount OFF
Return(0)
ErrorHandler:
Return(@@ERROR)
GO
答案 0 :(得分:0)
您对da.Fill(ds)的调用将执行查询,之后不需要额外的cmd.ExecuteNonQuery。
为了您自己,请将您用于查询的构造字符串切换为对存储过程的调用或参数化查询。如果有人在任何这些文本框中放入恶意值,您就会对SQL注入开放。这里有更多详细信息(http://www.techrepublic.com/article/shorten-development-time-by-using-parameterized-queries-in-adonet/)和此处(https://msdn.microsoft.com/en-us/library/bbw6zyha(v=vs.110).aspx)
您尝试对查询做了什么也不是很清楚。目前,它会尝试匹配您指定的所有参数,因为您正在使用&#39; AND&#39;每个谓词之间。如果您正在尝试进行搜索,您可能会想要其中一些是“搜索”。或者您可能只想添加提供值的谓词。目前,例如,如果您将ID文本框留空,那么您只会返回操作员ID为空白的结果,并且听起来并不像您的意图。