我有一个SQL Server数据库表,正在使用C#应用程序连接到SQL,查看该表并将值返回到表单的文本框中。但是,当我单击按钮时,出现以下错误:
将数据类型varchar转换为数字C#应用程序时出错
我的代码在这里:
private void buttonFilter_Click(object sender, EventArgs e)
{
try
{
using (SqlConnection sqlCon = new SqlConnection(connectionString))
{
sqlCon.Open();
SqlDataAdapter sqlDa = new SqlDataAdapter(string.Format(
"SELECT {0} FROM {1} WHERE {2} = " + SearchBox.Text.ToString(),
ConfigurationManager.AppSettings["SQLFirst3FieldResults"],
ConfigurationManager.AppSettings["SQLTableName"],
ConfigurationManager.AppSettings["SQLSearchColumn"]), sqlCon);
DataTable dtbl = new DataTable();
sqlDa.Fill(dtbl);
debtTypeResult.Text = dtbl.Rows[0][0].ToString();
customerNameResult.Text = dtbl.Rows[0][1].ToString();
customerIDResult.Text = dtbl.Rows[0][2].ToString();
label1.Visible = true;
label2.Visible = true;
label3.Visible = true;
debtTypeResult.Visible = true;
customerNameResult.Visible = true;
customerIDResult.Visible = true;
button1.Visible = true;
}
}
catch (Exception ex)
{
MessageBox.Show(ex.Message);
}
}
答案 0 :(得分:3)
首先在对代码加引号的情况下进行最小限度的校正:
SqlDataAdapter sqlDa = new SqlDataAdapter(string.Format(
"SELECT {0} FROM {1} WHERE {2} = '" + SearchBox.Text.ToString() + "'",
ConfigurationManager.AppSettings["SQLFirst3FieldResults"],
ConfigurationManager.AppSettings["SQLTableName"],
ConfigurationManager.AppSettings["SQLSearchColumn"]), sqlCon);
DataTable dtbl = new DataTable();
sqlDa.Fill(dtbl);
但是,完全不建议采用这种方法,因为
建议您尽可能使用参数。如果您搜索的值中带有单引号,它会更安全并且查询不会中断:
SqlDataAdapter sqlDa = new SqlDataAdapter($"SELECT {ConfigurationManager.AppSettings["SQLFirst3FieldResults"]} FROM {ConfigurationManager.AppSettings["SQLTableName"]} WHERE {ConfigurationManager.AppSettings["SQLSearchColumn"]} = @which", sqlCon);
sqlDa.SelectCommand.Parameters.AddWithValue("@which", SearchBox.Text.ToString());
DataTable dtbl = new DataTable();
sqlDa.Fill(dtbl);