这个SELECT查询有什么问题?

时间:2010-12-30 13:09:58

标签: asp.net vb.net tsql ado.net

Dim cmdSelect As New SqlCommand("SELECT DISTINCT [seat_remain] FROM [a1_ticket] WHERE serv_code =" & lab5.Text & "ORDER BY [Ticket_no] DESC", SQLData)

2 个答案:

答案 0 :(得分:8)

您正在使用字符串连接来构建SQL查询,而不是参数化查询或存储过程。这就是它的错误。以下是改进方法:

Dim cmdSelect As New System.Data.SqlClient.SqlCommand("SELECT DISTINCT [seat_remain] FROM [a1_ticket] WHERE serv_code = @serv_code ORDER BY [Ticket_no] DESC", SQLData)
cmdSelect.Parameters.AddWithValue("@serv_code", lab5.Text)

现在您的查询将起作用,而不仅仅是这样,但它对SQL注入是安全的。

答案 1 :(得分:3)

缺少引语:

Dim cmdSelect As New System.Data.SqlClient.SqlCommand("SELECT DISTINCT [seat_remain] FROM [a1_ticket] WHERE serv_code ='" & lab5.Text & "' ORDER BY [Ticket_no] DESC", SQLData)