查询字符串不检索数据值

时间:2017-10-12 14:35:44

标签: asp.net vb.net

希望你们能给我一些帮助。

我有一个asp.net网络表单,它从SQL数据库获取数据,并通过产品代码或产品描述在网页上显示。 按描述搜索将显示一个类似产品的列表,其中每个列表都有一个带有产品代码的按钮,当点击时将打开另一个带有额外产品信息的网站,

e.g。 13892 14589 17485 00010 08890

问题是从1开始向上的所有代码都会显示更多细节,但是当我点击以0开头的产品代码(例如00010)时,08890将显示没有数据,实际上应该有数据。

任何帮助都将不胜感激。

我在下面的代码,

  Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load

    If Val(Request.QueryString("Stock_code")) <> 0 Then

        Dim dt As DataTable = New DataTable

        Dim strQuery As String = "SELECT STKCODE as [Stock_Code], STKNAME as [Stock_Description], STK_BASEPRICE as [Retail_Price], STK_SORT_KEY2 as [Pack_Size], STK_NOTES as [Notes], STK_P_WEIGHT as [Net_Weight], STK_S_WEIGHT as [Gross_Weight] FROM dbo.STK_STOCK WHERE STKCODE = '" & Val(Request.QueryString("Stock_code")) & "'"

        Dim strQUery2 As String = "SELECT LOC_CODE as [Location_Code], LOC_NAME as [Location], LOC_PHYSICAL as [Physical_Stock] FROM dbo.STK_LOCATION WHERE LOC_CODE IN ('WH01','WH03','WH04','WH08','WH11')" & _
              "AND LOC_STOCK_CODE = '" & Val(Request.QueryString("Stock_code")) & "'"

        Dim strQuery3 As String = "SELECT STKLANG_STOCKNAME as [Chinese_Description] FROM dbo.STK_STOCK_LANG WHERE STKLANG_STOCKCODE ='" & Val(Request.QueryString("stock_code")) & "'"


        Dim strQuery4 = "SELECT STK_SELLPRICE1 as [Retail_Price], STK_SELLPRICE5 as [Retail_Rest_Split] FROM dbo.STK_STOCK_2 WHERE STKCODE2 = '" & Val(Request.QueryString("stock_code")) & "'"


        Using cmd4 As SqlCommand = New SqlCommand(strQuery4)
            Dim da3 As SqlDataAdapter = New SqlDataAdapter
            Dim dt4 As New DataTable
            cmd4.Connection = cnn : cnn.Open()
            da3.SelectCommand = cmd4
            da3.Fill(dt4)
            For i = 0 To dt4.Rows.Count - 1

                Label8.Text = dt4.Rows(i).Item("Retail_Rest_Split")

            Next
        End Using
        cnn.Close()


        Using cmd As SqlCommand = New SqlCommand(strQuery)
            Dim sda As SqlDataAdapter = New SqlDataAdapter

            cmd.Connection = cnn : cnn.Open()
            sda.SelectCommand = cmd
            sda.Fill(dt)

            For i = 0 To dt.Rows.Count - 1


                Label7.Text = dt.Rows(i).Item("Stock_Code")

                Label1.Text = dt.Rows(i).Item("Notes")
                Label3.Text = dt.Rows(i).Item("Retail_Price")
                Label4.Text = dt.Rows(i).Item("Pack_Size")
                Label5.Text = dt.Rows(i).Item("Stock_Description")

                'Label8.Text = dt.Rows(i).Item("Pack_Size")

                Label9.Text = dt.Rows(i).Item("Net_Weight")
                Label10.Text = dt.Rows(i).Item("Gross_Weight")

                GridView1.DataSource = dt
                GridView1.DataBind()
            Next
        End Using
        cnn.Close()

        Dim dt3 As DataTable = New DataTable
        Using cmd3 As SqlCommand = New SqlCommand(strQuery3)
            Dim da2 As SqlDataAdapter = New SqlDataAdapter


            cmd3.Connection = cnn : cnn.Open()
            da2.SelectCommand = cmd3
            da2.Fill(dt3)
        End Using

        For i = 0 To dt3.Rows.Count - 1
            Label6.Text = dt3.Rows(i).Item("Chinese_Description")
        Next

        Dim cmd2 As New SqlCommand
        Dim dt2 As New DataTable
        Dim da As New SqlDataAdapter
        With cmd2
            .Connection = cnn
            .CommandText = strQUery2
        End With

        da.SelectCommand = cmd2
        da.Fill(dt2)
        GridView1.DataSource = dt2
        GridView1.DataBind()

    End If
End Sub

2 个答案:

答案 0 :(得分:0)

您希望使用这样的参数化查询(我将折叠该查询字符串以使其更具可读性而无需水平滚动):

Dim strQuery As String = "SELECT STKCODE as [Stock_Code], STKNAME as [Stock_Description], 
               STK_BASEPRICE as [Retail_Price], STK_SORT_KEY2 as 
               [Pack_Size], STK_NOTES as [Notes], STK_P_WEIGHT as 
               [Net_Weight], STK_S_WEIGHT as [Gross_Weight] FROM 
               dbo.STK_STOCK WHERE STKCODE = @StockCode"

Using cmd As New SqlCommand(strQuery)
    cmd.Parameters.AddWithValue("@StockCode", Request.QueryString("Stock_code"))

    ' Do your other stuff here.
End Using

请注意,您不希望仅使用字符串连接来插入查询参数。这样就可以使您达到SQL injection attacks

相反,您在查询中使用占位符,如@StockCode。然后在命令上调用AddWithValue,为其提供该参数的值。

如果需要,您还可以显式指定参数类型:

    ' Add CustomerID parameter for WHERE clause.
    command.Parameters.Add("@ID", SqlDbType.Int)
    command.Parameters("@ID").Value = customerID

答案 1 :(得分:0)

假设它们都是5位数代码,这将确保股票代码为数字。

替换

Val(Request.QueryString("Stock_code"))


String.Format("{0:00000}", Integer.Parse(Request.QueryString("Stock_code")))

如果Request.QueryString("Stock_code")未被解析为整数,则会引发异常,从而防止恶意注入。

例如:

Dim stockCode = String.Format("{0:00000}", Integer.Parse(Request.QueryString("Stock_code")))

Dim strQuery As String = "SELECT STKCODE as [Stock_Code], STKNAME as [Stock_Description], STK_BASEPRICE as [Retail_Price], STK_SORT_KEY2 as [Pack_Size], STK_NOTES as [Notes], STK_P_WEIGHT as [Net_Weight], STK_S_WEIGHT as [Gross_Weight] FROM dbo.STK_STOCK WHERE STKCODE = '" & stockCode & "'"
Dim strQUery2 As String = "SELECT LOC_CODE as [Location_Code], LOC_NAME as [Location], LOC_PHYSICAL as [Physical_Stock] FROM dbo.STK_LOCATION WHERE LOC_CODE IN ('WH01','WH03','WH04','WH08','WH11')" & "AND LOC_STOCK_CODE = '" & stockCode & "'"
Dim strQuery3 As String = "SELECT STKLANG_STOCKNAME as [Chinese_Description] FROM dbo.STK_STOCK_LANG WHERE STKLANG_STOCKCODE ='" & stockCode & "'"
Dim strQuery4 = "SELECT STK_SELLPRICE1 as [Retail_Price], STK_SELLPRICE5 as [Retail_Rest_Split] FROM dbo.STK_STOCK_2 WHERE STKCODE2 = '" & stockCode & "'"

@dwilliss刚刚使用参数回答了问题,这可能比我的方法更好。无论如何发布

相关问题
最新问题