使用存储过程vb.net显示数据

时间:2015-09-05 08:13:59

标签: sql-server vb.net stored-procedures datagridview

如果我点击搜索按钮,我继续收到IDNo值的错误,“11111”附近的语法不正确可以有人帮助我吗?

    With acc
        IDNo = .IDNo
        StartDate = DateTime.Parse(.StartDate).ToString("M/d/yyyy")
        EndDate = DateTime.Parse(.EndDate).ToString("M/d/yyyy")
        ProjectName = .ProjectName
        ReferenceNo = .ReferenceNo
        TaskCode = .TaskCode
        FileName = .Filename
    End With

    dgAccomplishment.DataSource = Nothing
    dgAccomplishmentPT.DataSource = Nothing
    da = New SqlDataAdapter("dbo.process_time @User='" & IDNo & "' ,@From='" & StartDate & "',@To='" & EndDate & " 11:59:59 PM'", DB.GetConnection)
    dt = New DataTable
    da.Fill(dt)
    dgAccomplishment.DataSource = dt
    dgAccomplishment.Columns("ID").Visible = False
    dgAccomplishment.Columns("TimeSave").Visible = False
    da.Dispose()
    dt.Dispose()

这是我的存储过程

 SELECT a.ID, RTRIM(a.Last_User) [ID No.], 
    RTRIM(Users.FIRSTNAME + ' ' + Users.INITIAL + '. ' + Users.LASTNAME) [Name],
    RTRIM(a.ProjectName) [Project Name], 
    a.ProjectNo, a.ProjectCode, 
    RTRIM(a.Filename) [Filename],
    RTRIM(a.Filesize) [Filesize], 
    RTRIM(a.filesizeunit) [FileSizeUnit],
    a.TimeSave [TimeSave] 
 from DBase.dbo.Acc  a
    INNER JOIN dbo.Users ON a.Last_User = Users.IDNo
 WHERE a.Last_User in (@user) 
    and CONVERT(VARCHAR(10),timesave,101) BETWEEN @From AND @To 
 ORDER BY RTRIM(a.SubGroup), RTRIM(a.Last_User)

但是当我尝试在查询中运行该过程时效果很好。

1 个答案:

答案 0 :(得分:0)

因为您正在使用字符串连接,所以您有一个陈旧的单引号问题:如果IDNo值包含单引号,那么您的查询将失败。

更糟糕的是,您的代码容易受到SQL注入攻击。

您必须转义单引号的所有参数,将它们替换为2个单引号。

此处为最佳解决方案:使用参数化sql