2009-07-11 129 views
1

傳遞給我的自定義函數的字符串如下:轉換失敗

SELECT key FROM ubis WHERE MemberID = '144' 
AND To >='11/7/2009 9:11:23 pm' 
AND From <= '11/7/2009 9:11:23 pm' 

    Public Shared Function GetDataTable(ByVal CmdText As String) As DataTable 
     Dim myConn As New SqlConnection(ConfigurationManager.ConnectionStrings("Conn").ConnectionString) 
     Dim myCmd As New SqlCommand(CmdText, myConn) 
     myConn.Open() 
     Dim myReader As SqlDataReader = myCmd.ExecuteReader() 
     Dim myTable As New DataTable() 
     myTable.Load(myReader) 
     myConn.Close() 
     Return (myTable) 
    End Function 

,這裏是錯誤我得到的, 轉換從字符串轉換日期時間失敗時

我知道datetime字段作爲字符串傳遞給函數,但我有什麼選擇?

回答

1

您是否試過在管理工作室中運行sql並查看會發生什麼?

1

11/7/2009含糊不清 - 是7月11日還是11月7日?

SQL無法分辨 - 它取決於它已經設置的默認值。這將是更好的日期傳遞一個明確的格式:

SELECT key FROM ubis WHERE MemberID = '144' 
       AND To >='11 July 2009 9:11:23 pm' 
       AND From <= '11 July 2009 9:11:23 pm' 

或者,使用正確的轉換與正確format code,或者custom one,如建議通過Zyphrax:

SELECT key FROM ubis WHERE MemberID = '144' 
     AND To >= CONVERT(datetime, '11/7/2009 9:11:23 pm', 105) 
     AND From <= CONVERT(datetime, '11/7/2009 9:11:23 pm', 105) 
+0

月11日...今天 – OrElse 2009-07-11 20:32:30

+0

7月11日的! dd/MM/yyyy – OrElse 2009-07-11 20:50:04

0

你可以使用CONVERT命令將字符轉換爲日期時間。

SELECT key FROM ubis WHERE MemberID = '144' 
      AND To >= CONVERT(datetime, '11/7/2009 9:11:23 pm', 105) 
      AND From <= CONVERT(datetime, '11/7/2009 9:11:23 pm', 105) 

我不確定105,你可能需要谷歌正確的格式代碼。

另外,如果您的SQL代碼遇到異常,您的連接將不會關閉。你可能想添加一些使用代碼來解決這個問題。

Public Shared Function GetDataTable(ByVal CmdText As String) As DataTable   
Using myConn As New SqlConnection(ConfigurationManager.ConnectionStrings("Conn").ConnectionString) 
    Using myCmd As New SqlCommand(CmdTxt, myConn) 
    conn.Open() 
     Using myReader As SqlDataReader = myCmd.ExecuteReader() 
      Dim myTable As New DataTable() 
      myTable.Load(myReader) 
      myConn.Close() 
      Return (myTable) 
     End Using 
    End Using 
End Function 
2

您是否考慮過使用參數化查詢?這可以解決您的問題,並在從用戶輸入中獲取WHERE條件的情況下提高安全性。

示例(VB.NET):

Dim myCmd As New SqlCommand(CmdText, myConn) 
myCmd.Parameters.AddWithValue("MemberID", 144) 
myCmd.Parameters.AddWithValue("Timestamp", DateTime.Now) 

使用這種查詢文本(SQL):

SELECT key FROM ubis WHERE MemberID = @MemberID 
AND @Timestamp BETWEEN From AND To 

題外話:在SQL中BETWEEN關鍵字只是一種巧妙的方法表示>= AND <=條件。

2

這種sql注入漏洞的氣味。那個日期沒有任何機會來自用戶(甚至間接),是嗎?即使這一個是安全的,像GetDataTable()這樣的通用函數也沒有考慮到好的查詢參數,但這幾乎總是一個錯誤。

你想要更多的東西是這樣的:在希臘格式

Public Shared Function GetMemberKeys(ByVal MemberID As Integer, ByVal KeyDate As DateTime) As DataTable 

    Static sql As String= _ 
     "SELECT key" _ 
     + " FROM ubis" _ 
     + " WHERE MemberID= @MemberID AND @KeyDate BETWEEN [FROM] AND [TO]" 

    Dim dt As New DataTable() 
    Using cn As New SqlConnection(ConfigurationManager.ConnectionStrings("Conn").ConnectionString), _ 
      cmd As New SqlCommand(sql, cn) 

     cmd.Parameters.Add("@MemberID", SqlDbType.Int).Value = MemberID 
     cmd.Parameters.Add("@KeyDate", SqlDbType.DateTime).Value = KeyDate 

     cn.Open() 
     Using rdr As SqlDataReader = cmd.ExecuteReader() 
      dt.Load(rdr) 
     End Using 
    End Using 
    Return dt 
End Function