使用where子句的参数化查询

时间:2018-10-05 13:10:49

标签: c# sql-server-2008-r2 .net-4.0 parameterized-query

我正在尝试使用where子句执行参数化查询 我没有错误,但是我没有数据,但是当我执行相同的查询时 在sql server studio上我得到正确的结果

怎么了?

在某些情况下,最后一个问题我可能不会通过其中一个类似的参数,然后如何避免将该参数绑定到查询?

public void GetPatientInfoFilter()
{
    string connStr = ConfigurationManager.ConnectionStrings["SRJDconnstr"].ToString();
    string cmdStr = @"SELECT ID,
                                             DocNUM,
                                             NAM+' '+LFNAME as FirstLastName,
                                             FNAME,
                                             SEX,
                                             BIRTHDAY,
                                             PHONE,
                                             MOBILE,
                                             ADDRESS
                                  FROM SICK
                               WHERE DocNUM LIKE @DocNUM
                                    AND NAM+' '+LFNAME LIKE @FLNAME
                                    AND FNAME LIKE @FNAME";

    using (SqlConnection conn = new SqlConnection(connStr))
    using (SqlCommand cmd = new SqlCommand(cmdStr, conn))
    {
        conn.Open();
        cmd.CommandText = cmdStr;
        cmd.CommandType = CommandType.Text;

        dtPatientInfo.Rows.Clear();
           cmd.Parameters.Add(new SqlParameter("@DocNUM", SqlDbType.VarChar,10)).Value = "%" + TB_DocNum.Text + "%";
            cmd.Parameters.Add(new SqlParameter("@FLNAME", SqlDbType.VarChar,200)).Value = "%" + TB_FirstLastName.Text + "%";
            cmd.Parameters.Add(new SqlParameter("@FNAME", SqlDbType.VarChar,100)).Value = "%" + TB_FatherName.Text + "%";


        SqlDataAdapter da = new SqlDataAdapter(cmd);
        da.Fill(dtPatientInfo);
        dataGridView1.DataSource = dtPatientInfo;
    }
}

这是我在SSMS中执行查询的方式

SELECT ID,
                                                     DocNUM,
                                                     NAM+' '+LFNAME as FirstLastName,
                                                     FNAME,
                                                     SEX,
                                                     BIRTHDAY,
                                                     PHONE,
                                                     MOBILE,
                                                     ADDRESS
                                          FROM SICK
                                       WHERE DocNUM LIKE '%1%'
                                            AND NAM+' '+LFNAME LIKE '%sa%'
                                            AND FNAME LIKE '%b%'

1 个答案:

答案 0 :(得分:0)

您是否将%通配符放入文本框中?我敢打赌你想要这个:

string cmdStr = 
    @"SELECT ID,
         DocNUM,
         NAM+' '+LFNAME as FirstLastName,
         FNAME,
         SEX,
         BIRTHDAY,
         PHONE,
         MOBILE,
         ADDRESS
     FROM SICK
     WHERE DocNUM LIKE '%' + @DocNUM + '%'
         AND NAM+' '+LFNAME LIKE '%' + @FLNAME + '%'
         AND FNAME LIKE '%' + @FNAME + '%'";

您还可以考虑删除前导通配符,仅进行“开头为”匹配,因为我们在此处所采取的措施可以防止任何索引帮助此查询。