我正在尝试使用以下查询更新数据库,但我在格式化日期时遇到了困难。我该怎么办?
string query = "update employee_info set FirstName ='txtfirstName.Text',LastName ='txtlastName.Text' ,Address1='txt_address', City = 'combo_city' ,Country='combo_Country',ReportsTo='txt_reportTo' WHERE Bday='dtp_birthDate.Value.ToShortDateString()' and HireDate='dtp_hireDate.Value.ToShortDateString()'";
答案 0 :(得分:0)
您应该使用参数化查询。这样您就可以正确地格式化where子句的字符串,并且还可以防止您受到SQL注入攻击(https://en.wikipedia.org/wiki/SQL_injection)的攻击
像这样的东西(下面的示例有一个缩短的查询版本,缺少设置数据库连接)。
strQuery = "update employee_info set FirstName=@firstName, LastName=@lastName WHERE Bday=@birthDate and HireDate=@hireDate";
cmd = new SqlCommand(strQuery);
cmd.Parameters.AddWithValue("@firstName", txtfirstName.Text);
cmd.Parameters.AddWithValue("@CompanyName", txtLastName.Text);
cmd.Parameters.AddWithValue("@birthDate", dtp_birthDate.Value);
cmd.Parameters.AddWithValue("@hireDate", dtp_hireDate.Value);
cmd.ExecuteNonQuery();