WHERE子句需要來自變量或文本框

Question

我需要「WHERE」來自變量或文本框，並且我很難用變量或文本框成功替換「IN PRODUCTION」。

有人可以幫助我嗎？

Private da As New SqlDataAdapter("SELECT Node as 'Node', BrandName as 'Make', ipaddress as 'IP Address', AssetNumber as 'Asset Number', AreaUsed as 'Location', " & "EthernetPortQtas 'Total Ethernet Ports', SfpPortQty as 'Total SFP Ports', EthernetPortsAvail as 'Total Ethernet Ports Available', " & 
           "SfpPortsAvail as 'Total SFP Ports Available', PortUsedForUplink as 'Ethernet Port Used For Uplink', UplinkConnectionID as 'Uplink Iternal ID', " & 
           "UplinkArea as 'Uplink Area', UplinkHome as 'Uplink Home', UplinkHomePanelandPosition as 'Uplink Home Panel and Position', " & 
           "UplinkHomeSwitch as 'Uplink Home Switch', UplinkHomeSwitchPort as 'Uplink Home Switch Port', " & 
           "LastVerifiedDate as 'Date Last Verified', LastVerifiedBy as 'Verified By', Status as 'Appliance Status' FROM tbl_Switches WHERE Status = 'IN PRODUCTION' ORDER BY Node", cs) 

Answer 1

我習慣於使用命令對象。所以...

Private strSQL As String = "some connection string" 
    Private Sub GetSomeData() 
     Dim cn As New SqlConnection(strSQL) 
     Dim cmd As New SqlCommand With { 
      .Connection = cn, 
      .CommandType = CommandType.Text, 
      .CommandText = "Select Node as 'Node'...Where Status = @Status"} 
     cmd.Parameters.Add("@Status", SqlDbType.VarChar, 20, "Status").Value = cbStatus.Text ‘combo box text 
     Dim da As New SqlDataAdapter(cmd) 

從表格中定義列定義獲取參數信息。如果您使用文本框，則必須進行大量檢查以防止惡意注入。使用參數有幫助，但您可以使用組合框的DropDownStyle設置爲DropDownList來限制用戶輸入。

Answer 2

這不是一個答案，而是關於Plutonix的建議（我同意）關於格式化SQL的建議。

例如，您可以完全消除字符串連接。以下是利用xml文字（C＃沒有的好東西）。

以下所有代碼正在顯示如何避免字符串連接，並相信這樣做我發現一個格式不正確的SELECT語句作爲下面顯示的「as」看起來不正確。

EthernetPortQt 爲「總以太網端口」

Option Strict On 
' 
' I favor Infer On but suggest it off if you don't understand it 
' 
Option Infer Off 

Public Class SampleDataOperation 
    Public Sub CallDemo() 
     Demo("IN PRODUCTION") 
    End Sub 
    Public Sub Demo(ByVal pWhereValue As String) 
     Using cn As New SqlClient.SqlConnection With {.ConnectionString = "TODO"} 
      Dim SelectStatement As String = 
       <SQL> 
        SELECT 
         Node as 'Node', 
         BrandName as 'Make', 
         ipaddress as 'IP Address', 
         AssetNumber as 'Asset Number', 
         AreaUsed as 'Location', 
         EthernetPortQt as 'Total Ethernet Ports', 
         SfpPortQty as 'Total SFP Ports', 
         EthernetPortsAvail as 'Total Ethernet Ports Available', 
         SfpPortsAvail as 'Total SFP Ports Available', 
         PortUsedForUplink as 'Ethernet Port Used For Uplink', 
         UplinkConnectionID as 'Uplink Iternal ID', 
         UplinkArea as 'Uplink Area', 
         UplinkHome as 'Uplink Home', 
         UplinkHomePanelandPosition as 'Uplink Home Panel and Position', 
         UplinkHomeSwitch as 'Uplink Home Switch', 
         UplinkHomeSwitchPort as 'Uplink Home Switch Port', 
         LastVerifiedDate as 'Date Last Verified', 
         LastVerifiedBy as 'Verified By', 
         Status as 'Appliance Status' 
        FROM tbl_Switches 
         WHERE Status = @StatusCondition 
        ORDER BY Node 
       </SQL>.Value 

      Using cmd As New SqlClient.SqlCommand With {.CommandText = SelectStatement} 

       cmd.Parameters.AddWithValue("@StatusCondition", pWhereValue) 

       Dim da As New SqlClient.SqlDataAdapter(cmd) 
       ' 
       ' continue... 
       ' 
      End Using 
     End Using 
    End Sub 
End Class