如何在.aspx页面中将参数值传递给Sql Query?

时间:2018-03-19 10:06:37

标签: c# asp.net parameters webforms aspx-user-control

我在ASP.NET C#源代码中工作,因为我有一个从ASPX页面传递参数值的过程。

在下面的代码中,我需要通过ASP.NET控件传递a.cYearAssignedDate

注意:我没有使用.aspx.cs页面,我在.aspx页面中创建了这段代码。

我在.aspx.cs页面中这样传递,

    bolMachineStatus.cyear = Request.Cookies["BCookies"]["SessionFinancialYear"];
    bolMachineStatus.AssignedDate = Calendar2.SelectedDate.ToString();

这是完整的来源, 在这里我直接传递了值,

<script runat="server">
    protected void Calendar2_SelectionChanged(object sender, System.EventArgs e)
    {
        SqlConnection strConn = new SqlConnection(ConfigurationManager.ConnectionStrings["BConnection"].ToString());            
        SqlDataAdapter da = new SqlDataAdapter();
        SqlCommand cmd = new SqlCommand();
        DataSet ds = new DataSet();
        strConn.Open();

        cmd.CommandText = @"CREATE TABLE #PendingMachineStatus(cMBrnCode NVARCHAR(2),cMBrnName NVARCHAR(25),
                    cYear NVARCHAR(4),nCallNo INT,Date Datetime)
                    INSERT INTO #PendingMachineStatus
                    select c.cMBrnCode,c.cMBrnName,b.cYear,b.nCallNo,
                    MAX(b.StatusDate) as Date
                    from SvCallHead a
                    INNER JOIN MachineStatus b on a.cYear = b.cYear AND a.nCallNo = b.nCallNo
                    INNER JOIN SvMainBrn c on a.cMBrnCode=c.cMBrnCode
                    where b.cYear='**2017**'
                    and a.cCallSuff = 'A' AND a.cCallEnd = 'N' AND  a.cServType = 'A'
                    AND a.cStatFlg  <> 'C'
                    GROUP BY c.cMBrnCode,c.cMBrnName,b.cYear,b.nCallNo

                    CREATE TABLE #MachineStatus(cMBrnCode NVARCHAR(7),cMBrnName NVARCHAR(100),cYear NVARCHAR(4),nCallNo INT,
                    MainStatus varchar(10),Status varchar(10),cSvPrCode NVARCHAR(10),AssignedDate Datetime,
                    IsSMS BIT)
                    INSERT INTO #MachineStatus
                    SELECT a.cMBrnCode,a.cMBrnName,a.cYear,a.nCallNo,b.MainStatus,b.MachineStatus,b.cSvPrCode,b.AssignedDate,b.IsSMS
                    FROM #PendingMachineStatus a
                    INNER JOIN MachineStatus b ON a.nCallNo=b.nCallNo AND a.Date=b.StatusDate

                    select COUNT(*) AS Count,
                    CASE d.cSvPrCode
                    WHEN '0' THEN NULL
                    ELSE d.cSvPrCode
                    END cSvPrCode,
                    CASE d.AssignedDate
                    WHEN '1900-01-01 00:00:00.000' THEN NULL
                    ELSE d.AssignedDate
                    END AS AssignedDate,
                    DAY(d.AssignedDate) AS Day,
                    MONTH(d.AssignedDate) AS Month,
                    f.cSvPrName
                    from SvCallHead a
                    INNER JOIN SvMainBrn b on a.cMBrnCode=b.cMBrnCode
                    LEFT JOIN SvDelrMast c on a.cDelrCode=c.cDelrCode
                    LEFT JOIN #MachineStatus d on a.cYear=d.cYear and a.nCallNo=d.nCallNo
                    LEFT JOIN SvSvPrMast f on d.cSvPrCode=f.cSvPrCode
                    where a.cYear='**2017**' and **d.AssignedDate='2018/03/15'** and a.cCallSuff = 'A' AND a.cCallEnd= 'N'
                    AND a.cServType= 'A' AND a.cStatFlg<> 'C' AND f.cSvPrName<>'NULL'
                    group by d.cSvPrCode,d.AssignedDate,f.cSvPrName
                    order by AssignedDate asc

                    drop table #PendingMachineStatus
                    drop table #MachineStatus";
        da = new SqlDataAdapter(cmd.CommandText, strConn);
        da.Fill(ds);
        strConn.Close();
        if (ds.Tables[0].Rows.Count == 0)
        {
            DataGrid1.Visible = false;
        }
        else
        {
            DataGrid1.Visible = true;
            DataGrid1.DataSource = ds.Tables[0];
            DataGrid1.DataBind();
        }
    }
</script>

3 个答案:

答案 0 :(得分:0)

如果将它放在存储过程中并使其参数化会更好。现在,您可以查看string.Format以传递值。

类似的东西:

           var str = string.Format(@"CREATE TABLE #PendingMachineStatus(cMBrnCode NVARCHAR(2),cMBrnName NVARCHAR(25),
                cYear NVARCHAR(4),nCallNo INT,Date Datetime)
                INSERT INTO #PendingMachineStatus
                select c.cMBrnCode,c.cMBrnName,b.cYear,b.nCallNo,
                MAX(b.StatusDate) as Date
                from SvCallHead a
                INNER JOIN MachineStatus b on a.cYear = b.cYear AND a.nCallNo = b.nCallNo
                INNER JOIN SvMainBrn c on a.cMBrnCode=c.cMBrnCode
                where b.cYear={0}
                and a.cCallSuff = 'A' AND a.cCallEnd = 'N' AND  a.cServType = 'A'
                AND a.cStatFlg  <> 'C'
                GROUP BY c.cMBrnCode,c.cMBrnName,b.cYear,b.nCallNo

                CREATE TABLE #MachineStatus(cMBrnCode NVARCHAR(7),cMBrnName NVARCHAR(100),cYear NVARCHAR(4),nCallNo INT,
                MainStatus varchar(10),Status varchar(10),cSvPrCode NVARCHAR(10),AssignedDate Datetime,
                IsSMS BIT)
                INSERT INTO #MachineStatus
                SELECT a.cMBrnCode,a.cMBrnName,a.cYear,a.nCallNo,b.MainStatus,b.MachineStatus,b.cSvPrCode,b.AssignedDate,b.IsSMS
                FROM #PendingMachineStatus a
                INNER JOIN MachineStatus b ON a.nCallNo=b.nCallNo AND a.Date=b.StatusDate

                select COUNT(*) AS Count,
                CASE d.cSvPrCode
                WHEN '0' THEN NULL
                ELSE d.cSvPrCode
                END cSvPrCode,
                CASE d.AssignedDate
                WHEN '1900-01-01 00:00:00.000' THEN NULL
                ELSE d.AssignedDate
                END AS AssignedDate,
                DAY(d.AssignedDate) AS Day,
                MONTH(d.AssignedDate) AS Month,
                f.cSvPrName
                from SvCallHead a
                INNER JOIN SvMainBrn b on a.cMBrnCode=b.cMBrnCode
                LEFT JOIN SvDelrMast c on a.cDelrCode=c.cDelrCode
                LEFT JOIN #MachineStatus d on a.cYear=d.cYear and a.nCallNo=d.nCallNo
                LEFT JOIN SvSvPrMast f on d.cSvPrCode=f.cSvPrCode
                where a.cYear={0} and d.AssignedDate={1} and a.cCallSuff = 'A' AND a.cCallEnd= 'N'
                AND a.cServType= 'A' AND a.cStatFlg<> 'C' AND f.cSvPrName<>'NULL'
                group by d.cSvPrCode,d.AssignedDate,f.cSvPrName
                order by AssignedDate asc

                drop table #PendingMachineStatus
                drop table #MachineStatus", Request.Cookies["BCookies"]["SessionFinancialYear"], Calendar2.SelectedDate.ToString());

答案 1 :(得分:0)

您可以使用SqlParameter

    //
    // The name we are trying to match.
    //
    string dogName = "Fido";
    //
    // Use preset string for connection and open it.
    //
    string connectionString =
        ConsoleApplication1.Properties.Settings.Default.ConnectionString;
    using (SqlConnection connection = new SqlConnection(connectionString))
    {
        connection.Open();
        //
        // Description of SQL command:
        // 1. It selects all cells from rows matching the name.
        // 2. It uses LIKE operator because Name is a Text field.
        // 3. @Name must be added as a new SqlParameter.
        //
        using (SqlCommand command = new SqlCommand(
            "SELECT * FROM Dogs1 WHERE Name LIKE @Name", connection))
        {
            //
            // Add new SqlParameter to the command.
            //
            command.Parameters.Add(new SqlParameter("Name", dogName));
            //
            // Read in the SELECT results.
            //
            SqlDataReader reader = command.ExecuteReader();
            while (reader.Read())
            {
                int weight = reader.GetInt32(0);
                string name = reader.GetString(1);
                string breed = reader.GetString(2);
                Console.WriteLine("Weight = {0}, Name = {1}, Breed = {2}",
                    weight,
                    name,
                    breed);
            }
        }
    }

示例中的更多详细信息:https://www.dotnetperls.com/sqlparameter

答案 2 :(得分:0)

这是高风险。对于OWASP.org,SQL注入是2017年最主要的安全风险。

  • 您应使用以下链接创建存储过程:Create a SP
  • 然后应该使用ADO.Net/Entity Framework通过代码执行存储过程。从客户端到服务器的唯一传递是通过SQL参数。对于ADO,请使用链接:Call a SP using ADO