使用Visual Studio 2017,我尝试构建一个Windows窗体应用程序,要求用户从SQL Server Express数据库(footballteam)中获取特定值。
用户在文本框(@jnumber)中输入一个值(textBox1.Text),该文本框对应于" LIKE"为" JERSEYNUMBER"。
然后,点击按钮(button1_Click)
结果应显示DataGridView。
构建结果是:"构建:0成功,0失败,1最新,0跳过"。
但是,在运行应用程序时,用户在@jnumber中输入textBox.Text的数字值,然后点击按钮(button1_Click),但dataGridView1仍为空;没有结果。
目标也是避免SQL注入。感谢您的帮助。
代码在这里:
// directives
using System;
using System.Data
using System.Windows.Forms;
using System.Data.SqlClient;
namespace displaydmlquery
{
public partial class Form1 : Form
{
public Form1()
{
InitializeComponent();
}
private void button1_Click(object sender, EventArgs e)
{
// variable sql query
var commandText = "SELECT * FROM JERSEY WHERE JERSEYNUMBER LIKE '%' + @jnumber+ '%' ORDER BY ASSIGNMENT_DATE";
// variable connection string
var connectionString = "Server=hostname\\SQLEXPRESS;Database=footballteam;User Id=userid;Password=password";
// Create a connection instance
using (SqlConnection connection = new SqlConnection(connectionString))
{
// Create a SqlCommand instance
SqlCommand command = new SqlCommand(commandText, connection);
// Add the parameter to used in the text box input
command.Parameters.Add("@jnumber", SqlDbType.NVarChar, 20).Value = textBox1.Text;
// Execute query
try
{
// open connection
connection.Open();
// create a SqlDataAdapter to execute query
var dataAdapter = new SqlDataAdapter(commandText, connectionString);
// Create command builder
var commandBuilder = new SqlCommandBuilder(dataAdapter);
// Execute query reader
command.ExecuteReader();
// create a data table to hold query
DataTable dtRecord = new DataTable();
// fill in data tbale
sqlDataAdap.Fill(dtRecord);
// Display results in DataGridView
dataGridView1.DataSource = dtRecord;
}
catch
{
// Handle exception, future code
}
finally
{
connection.Close();
}
}
}
}
}
答案 0 :(得分:3)
我试图在评论中暗示你的问题,但我失败了,所以我花时间给你一个完整的答案。
以下是您的代码正在执行的操作。您会注意到某些行有问号。这些是令人不安的界限,因为它们没有任何意义。看起来你会混淆不同的数据对象的意图。
1. set up a sql string
2. set up a connection string
3. create a connection Object from connection string from (2)
4. create a command Object from the sql string and the connection object from (1) and (3)
5. set the value of the parameter on the command object from (4)
6. open the connection Object from (3)
7. create a DataAdapter object and a new connection Object (???)
and a new command Object (???) from (1) and (3)
8. create commandBuilder and generate INSERT UPDATE and DELETE commands Objects (???) from the data adapter (7)
9. execute the command object from (4). Disregard the results (???)
10. create a new DataTable Object
11. fill the DataTable from (10) with an unknown sqlDataAdap (does it have
connection, sql, or parameters associated ????)
12. set the DataSource on the datagrid to the filled(?) datatable from (10)
13. throw away exceptions (???)
14. close the connection
15. dispose the connection
这里有一些应该有用的代码
using (SqlConnection connection = new SqlConnection(connectionString))
{
// Create a SqlCommand instance
SqlCommand command = new SqlCommand(commandText, connection);
// Add the parameter to used in the text box input
command.Parameters.Add("@jnumber", SqlDbType.NVarChar, 20).Value = textBox1.Text;
// open connection
connection.Open();
// create a SqlDataAdapter using the command object with the parameters set
var dataAdapter = new SqlDataAdapter(command, connectionString);
// create a data table to hold query
DataTable dtRecord = new DataTable();
// fill in data table with the dataAdapater
dataAdapter.Fill(dtRecord);
// Display results in DataGridView
dataGridView1.DataSource = dtRecord;
} // Using will close the connection when it disposes it
答案 1 :(得分:0)
请尝试更新您的查询
// variable sql query
var commandText = "SELECT * FROM JERSEY WHERE JERSEYNUMBER LIKE '%' @jnumber '%' ORDER BY ASSIGNMENT_DATE";
并添加参数,因为你已经在做....