Question

我需要来自变量或文本框的“WHERE”，并且我很难用变量或文本框成功替换“IN PRODUCTION”。

有人可以帮助我吗？

Private da As New SqlDataAdapter("SELECT Node as 'Node', BrandName as 'Make', ipaddress as 'IP Address', AssetNumber as 'Asset Number', AreaUsed as 'Location', " & "EthernetPortQtas 'Total Ethernet Ports', SfpPortQty as 'Total SFP Ports', EthernetPortsAvail as 'Total Ethernet Ports Available', " &
                                 "SfpPortsAvail as 'Total SFP Ports Available', PortUsedForUplink as 'Ethernet Port Used For Uplink', UplinkConnectionID as 'Uplink Iternal ID', " &
                                 "UplinkArea as 'Uplink Area', UplinkHome as 'Uplink Home', UplinkHomePanelandPosition as 'Uplink Home Panel and Position', " &
                                 "UplinkHomeSwitch as 'Uplink Home Switch', UplinkHomeSwitchPort as 'Uplink Home Switch Port', " &
                                 "LastVerifiedDate as 'Date Last Verified', LastVerifiedBy as 'Verified By', Status as 'Appliance Status' FROM tbl_Switches WHERE Status = 'IN PRODUCTION' ORDER BY Node", cs)

Answer 1

我习惯使用命令对象。所以......

Private strSQL As String = "some connection string"
    Private Sub GetSomeData()
        Dim cn As New SqlConnection(strSQL)
        Dim cmd As New SqlCommand With {
            .Connection = cn,
            .CommandType = CommandType.Text,
            .CommandText = "Select Node as 'Node'...Where Status = @Status"}
        cmd.Parameters.Add("@Status", SqlDbType.VarChar, 20, "Status").Value = cbStatus.Text ‘combo box text
        Dim da As New SqlDataAdapter(cmd)

从表中的列定义中获取参数信息。如果您使用文本框，则必须进行大量检查以防止恶意注入。使用参数会有所帮助，但您可以使用组合框的DropDownStyle设置为DropDownList来限制用户输入。

Answer 2

这不是答案，而是关于Plutonix关于格式化SQL的建议（我同意）的建议。

例如，您可以完全消除字符串连接。以下内容利用了xml文字（C＃没有的一件好事）。

下面的所有代码都在展示如何避免字符串连接，并且相信这样做我发现格式错误的SELECT语句，因为下面显示的“as”看起来不正确。

EthernetPortQt as 'Total Ethernet Ports'

Option Strict On
'
' I favor Infer On but suggest it off if you don't understand it
'
Option Infer Off

Public Class SampleDataOperation
    Public Sub CallDemo()
        Demo("IN PRODUCTION")
    End Sub
    Public Sub Demo(ByVal pWhereValue As String)
        Using cn As New SqlClient.SqlConnection With {.ConnectionString = "TODO"}
            Dim SelectStatement As String =
                <SQL>
                    SELECT 
                        Node as 'Node', 
                        BrandName as 'Make', 
                        ipaddress as 'IP Address', 
                        AssetNumber as 'Asset Number', 
                        AreaUsed as 'Location',
                        EthernetPortQt as 'Total Ethernet Ports', 
                        SfpPortQty as 'Total SFP Ports', 
                        EthernetPortsAvail as 'Total Ethernet Ports Available',
                        SfpPortsAvail as 'Total SFP Ports Available', 
                        PortUsedForUplink as 'Ethernet Port Used For Uplink', 
                        UplinkConnectionID as 'Uplink Iternal ID', 
                        UplinkArea as 'Uplink Area', 
                        UplinkHome as 'Uplink Home', 
                        UplinkHomePanelandPosition as 'Uplink Home Panel and Position', 
                        UplinkHomeSwitch as 'Uplink Home Switch', 
                        UplinkHomeSwitchPort as 'Uplink Home Switch Port', 
                        LastVerifiedDate as 'Date Last Verified', 
                        LastVerifiedBy as 'Verified By', 
                        Status as 'Appliance Status' 
                    FROM tbl_Switches 
                        WHERE Status = @StatusCondition
                    ORDER BY Node
                </SQL>.Value

            Using cmd As New SqlClient.SqlCommand With {.CommandText = SelectStatement}

                cmd.Parameters.AddWithValue("@StatusCondition", pWhereValue)

                Dim da As New SqlClient.SqlDataAdapter(cmd)
                '
                ' continue...
                '
            End Using
        End Using
    End Sub
End Class

WHERE子句需要来自变量或文本框

2 个答案: