我的Count Query asp.net有什么问题

时间:2015-10-06 14:46:56

标签: asp.net sql-server vb.net visual-studio visual-studio-2010

production

代码显示错误

  

无效的列名称' California'。

但我的Public state_name as String state_name = Textbox1.Text Dim constr As String = ConfigurationManager.ConnectionStrings("ApplicationServices").ConnectionString Dim query As String = "SELECT Count(cities) FROM state_table WHERE state_name=" & state_name Using conn As New SqlConnection(constr) Using comm As New SqlCommand() conn.Open() With comm .Connection = conn .CommandText = query .CommandType = CommandType.Text End With Dim count As Int16 = Convert.ToInt16(comm.ExecuteScalar()) Label1.Text = count End Using End Using 表格中已经存在California,我想要计算State表格中所有已列入state_name= california表中的所有城市。

我希望输出为

State

2 个答案:

答案 0 :(得分:2)

您希望使用参数化查询来避免SQL Injection.

[copy] Copying 2 files to C:\ant\paste
[copy] Copying C:\ant\copy\anythis.a to C:\ant\paste\that.a
[copy] Copying C:\ant\copy\new\testthis.a to C:\ant\paste\new\that.a

答案 1 :(得分:1)

因为您没有用引号括起变量。 "state_name = '" + state_name + "'"

但是,您应该使用参数。