如果我点击搜索按钮,我继续收到IDNo值的错误,“11111”附近的语法不正确可以有人帮助我吗?
With acc
IDNo = .IDNo
StartDate = DateTime.Parse(.StartDate).ToString("M/d/yyyy")
EndDate = DateTime.Parse(.EndDate).ToString("M/d/yyyy")
ProjectName = .ProjectName
ReferenceNo = .ReferenceNo
TaskCode = .TaskCode
FileName = .Filename
End With
dgAccomplishment.DataSource = Nothing
dgAccomplishmentPT.DataSource = Nothing
da = New SqlDataAdapter("dbo.process_time @User='" & IDNo & "' ,@From='" & StartDate & "',@To='" & EndDate & " 11:59:59 PM'", DB.GetConnection)
dt = New DataTable
da.Fill(dt)
dgAccomplishment.DataSource = dt
dgAccomplishment.Columns("ID").Visible = False
dgAccomplishment.Columns("TimeSave").Visible = False
da.Dispose()
dt.Dispose()
这是我的存储过程
SELECT a.ID, RTRIM(a.Last_User) [ID No.],
RTRIM(Users.FIRSTNAME + ' ' + Users.INITIAL + '. ' + Users.LASTNAME) [Name],
RTRIM(a.ProjectName) [Project Name],
a.ProjectNo, a.ProjectCode,
RTRIM(a.Filename) [Filename],
RTRIM(a.Filesize) [Filesize],
RTRIM(a.filesizeunit) [FileSizeUnit],
a.TimeSave [TimeSave]
from DBase.dbo.Acc a
INNER JOIN dbo.Users ON a.Last_User = Users.IDNo
WHERE a.Last_User in (@user)
and CONVERT(VARCHAR(10),timesave,101) BETWEEN @From AND @To
ORDER BY RTRIM(a.SubGroup), RTRIM(a.Last_User)
但是当我尝试在查询中运行该过程时效果很好。
答案 0 :(得分:0)
因为您正在使用字符串连接,所以您有一个陈旧的单引号问题:如果IDNo值包含单引号,那么您的查询将失败。
更糟糕的是,您的代码容易受到SQL注入攻击。
您必须转义单引号的所有参数,将它们替换为2个单引号。
此处为最佳解决方案:使用参数化sql