使用SQLCommand在C#中进行SQL多行查询

时间:2016-11-08 15:21:07

标签: c# sql-server

我想使用C#从SQL Server中的不同表加载特定数据但是我收到错误Incorrect syntax near the keyword 'as'. Incorrect syntax near 'EP'. Incorrect syntax near the keyword 'AND'.代码运行良好,因为我放了一个messageBox来显示查询,一个messageBox popsup并显示完整查询但是在那之后,我有一个错误,如上所述 这是代码

 private void FillGridView()
    {
        CS = ConfigurationManager.ConnectionStrings["HRMSConnectionString"].ConnectionString;
        using (SqlConnection con = new SqlConnection(CS))
        { SqlCommand cmd = new SqlCommand(query, con);
                con.Open();
                SqlDataAdapter ad = new SqlDataAdapter(cmd);
                ad.Fill(dt);
                gvShowAllData.DataSource = dt;
        }
    }

这是查询

    string query = @"Select 'ACTIVE POSTING' as POSTING,e.emp_id,e.emp_name,e.emp_fathername,e.emp_nic,e.emp_contact" +
",D.desig_id,D.desig_name" +
"from EMP_Master as e,EMP_Posting_Log as p,EMP_Designation AS D" +
"where e.emp_id=p.emp_id" +
"AND P.desg_id=D.desig_id" +
"and p.status='ACTIVE'" +
"AND E.emp_name LIKE '%" + tbSearchName.Text + "%'" +
"UNION" +
"Select 'INACTIVE POSTING' as POSTING,e.emp_id,e.emp_name,e.emp_fathername,e.emp_nic,e.emp_contact" +
",NULL,NULL" +
"from EMP_Master as e" +
"WHERE E.emp_id IN (SELECT DISTINCT EP.emp_id FROM EMP_Posting_Log AS EP" +
"WHERE EP.status='INACTIVE')" +
"AND E.emp_name LIKE '%" + tbSearchName.Text + "%'" +
"UNION" +
"Select 'NOT POSTING' as POSTING,e.emp_id,e.emp_name,e.emp_fathername,e.emp_nic,e.emp_contact" +
",NULL,NULL" +
"from EMP_Master as e" +
"WHERE E.emp_id NOT IN (SELECT DISTINCT EP1.emp_id FROM EMP_Posting_Log AS EP1)" +
"AND E.emp_name LIKE '%" + tbSearchName.Text + "%'";

3 个答案:

答案 0 :(得分:6)

你的字符串部分之间需要空格。你期望串联创建新的行,但现实是它不是如何工作。如果您想在字符串之间添加新行或空格,则需要在字符串中添加该行。

更重要的问题是您的查询容易受到SQL注入攻击。您应该始终使用参数进行用户输入。

string query = @"Select 'ACTIVE POSTING' as POSTING,e.emp_id,e.emp_name,e.emp_fathername,e.emp_nic,e.emp_contact,D.desig_id,D.desig_name
 from EMP_Master as e,EMP_Posting_Log as p,EMP_Designation AS D
 where e.emp_id=p.emp_id
 AND P.desg_id=D.desig_id
 and p.status='ACTIVE'
 AND E.emp_name LIKE @tbSearchName
 UNION
 Select 'INACTIVE POSTING' as POSTING,e.emp_id,e.emp_name,e.emp_fathername,e.emp_nic,e.emp_contact,NULL,NULL
 from EMP_Master as e
 WHERE E.emp_id IN (SELECT DISTINCT EP.emp_id FROM EMP_Posting_Log AS EP
 WHERE EP.status='INACTIVE')
 AND E.emp_name LIKE @tbSearchName
 UNION
 Select 'NOT POSTING' as POSTING,e.emp_id,e.emp_name,e.emp_fathername,e.emp_nic,e.emp_contact,NULL,NULL
 from EMP_Master as e
 WHERE E.emp_id NOT IN (SELECT DISTINCT EP1.emp_id FROM EMP_Posting_Log AS EP1)
 AND E.emp_name LIKE @tbSearchName";

添加参数:

cmd.Parameters.Add(new SqlParameter("@tbSearchName", SqlDbType.VarChar) {Value = "%" + tbSearchName.Text + "%"});

答案 1 :(得分:2)

你的问题是因为字符串的连接。当您使用+

开始字符串时,可以使用@在多行上书写字符串 
string query = @"
Select 'ACTIVE POSTING' as POSTING, e.emp_id, e.emp_name, 
        e.emp_fathername, e.emp_nic, e.emp_contact, D.desig_id, D.desig_name

//and so on continue with your query
";

另请查看SqlCommand.Parameters以防止您的代码被SQL注入。

答案 2 :(得分:1)

虽然它在你的代码中显示为'in lines',但你只是制作一大行SQL并且你的空格不正确 - 你可以尝试类似

        System.Text.StringBuilder sb = new System.Text.StringBuilder();

        sb.AppendLine(@"Select 'ACTIVE POSTING' as POSTING,e.emp_id,e.emp_name,e.emp_fathername,e.emp_nic,e.emp_contact");
        sb.AppendLine(@",D.desig_id,D.desig_name");
        sb.AppendLine(@"from EMP_Master as e,EMP_Posting_Log as p,EMP_Designation AS D");
        sb.AppendLine(@"where e.emp_id=p.emp_id");
        sb.AppendLine(@"AND P.desg_id=D.desig_id");
        sb.AppendLine(@"and p.status='ACTIVE'");
        sb.AppendLine("AND E.emp_name LIKE '%" + tbSearchName.Text.Replace(@"'",@"''") + "%'");  //escape single quote to avoid SQL injection attack

        //....and so on with the rest of your lines

        string query = sb.ToString();

        //then as before
相关问题
最新问题