sql查詢問題

protected void Button1_Click(object sender, EventArgs e) 
{ 
    SqlConnection myConnection = new SqlConnection("Data Source=DELL-PC\\SQLEXPRESS;Initial Catalog=eclass;Persist Security Info=True;integrated security = true"); 
    myConnection.Open(); 
    string key = txtsearchkey.Text.ToString(); 

    SqlCommand q1 = new SqlCommand("select cat_id from category where cat_name='" + (ddsearchcat.SelectedItem.ToString() + "'"), myConnection); 
    string cat = q1.ExecuteScalar().ToString(); 

    SqlCommand q2 = new SqlCommand("select subcat_id from subcategory where subcat_name= '" + (ddsearchsubcat.SelectedItem.ToString() + "'"), myConnection); 
    string subcat = q2.ExecuteScalar().ToString(); 

    SqlCommand q3 = new SqlCommand("select adid from adType where adtype= '" + (ddsearchtype.SelectedItem.ToString()) + "'", myConnection); 
    string adtype = q3.ExecuteScalar().ToString(); 

    String date = ddsearchdays.SelectedItem.ToString(); 

    if (chkAdimg.Checked) 
    { 
     if (chkAdVideo.Checked) 
     { 
      SqlCommand query = new SqlCommand("select title,ad_description from postad where ad_description like " + txtsearchkey + " and category_id=" + cat + " and subcategory_id=" + subcat + " and ad_id=" + adtype + " and video is not null and img_id is not null and adType INNER JOIN adType AS adType_1 ON adType.adid = adType_1.adid CROSS JOIN category CROSS JOIN subcategory CROSS JOIN userdetails", myConnection);   

      DataSet ds = new DataSet(); 
      SqlDataAdapter ad = new SqlDataAdapter(query); 
      ad.Fill(ds); 
      foreach (DataRow dr in ds.Tables[0].Rows) 
      { 
        Response.Write(dr[0].ToString()); 
      } 
     } 
    } 
}

這個查詢是給了我一個問題，說sql查詢問題

其中條件，預計在指定的上下文非布爾型的表達，接近內心...

我應該讓我的查詢什麼變化

來源

2011-04-15 shweta

看起來你`的SqlCommand query`線可能是罪魁禍首。我的猜測是你上面的查詢之一，你使用值來建立你的`SqlCommand查詢`返回一個無效的值。你應該通過它來確保你獲得了正確的值，並且可能應該在使用它們來構建另一個查詢之前驗證這些變量。 – Prescott 2011-04-15 16:13:59

**首先：**將** NOT **字符串連接到SQL查詢中！你知道嗎[SQL注入]（http://xkcd.com/327/）？不要這樣做 - 不是永遠。請改用**參數化查詢**！ – 2011-04-15 20:02:23

select title,ad_description from postad where ad_description like " + txtsearchkey + " and category_id=" + cat + " and subcategory_id=" + subcat + " and ad_id=" + adtype + " and video is not null and img_id is not null and adType INNER JOIN adType AS adType_1 ON adType.adid = adType_1.adid CROSS JOIN category CROSS JOIN subcategory CROSS JOIN userdetails", myConnection);

你在哪裏使用內部連接後的條件？

我想這可能是正確的

select title,ad_description 
from postad 
INNER JOIN adType AS adType_1 ON adType.adid = adType_1.adid 
CROSS JOIN category 
CROSS JOIN subcategory 
CROSS JOIN userdetails 
where ad_description like " + txtsearchkey + " 
    and category_id=" + cat + " 
    and subcategory_id=" + subcat + " 
    and ad_id=" + adtype + " 
    and video is not null 
    and img_id is not null

來源

2011-04-15 16:12:38 Nighil

adType INNER JOIN adType AS adType.adid = atType_1.adid – shweta 2011-04-15 16:16:22

我以爲這是在這兒，你已經有了

...and adType INNER JOIN adType...

你的聯接應在WHERE子句之前完成，更何況你確實應該使用參數的值而不是純文本，以避免像SQL注入的東西，你可能會需要％的值你想做一個LIKE，但我離題...

來源

2011-04-15 16:13:16 w69rdy

該varch ar列應該包含引用的值。例如

where ad_description like " + txtsearchkey + " and

應該是

where ad_description like '" + txtsearchkey + "' and

此外

img_id is not null and adType INNER JOIN

應具有

img_id is not null INNER JOIN

即ADTYPE似乎是不必要的。

這不是製作動態SQL的好方法。它不僅暴露給SQL注入，而且幾乎不可能維護。

來源

2011-04-15 16:15:26

你有你的WHERE條款後您的加入，它需要是WHERE條款前後FROM

select 
    title, 
    ad_description 
from postad 
INNER JOIN adType AS adType_1 ON adType.adid = adType_1.adid 
CROSS JOIN category 
CROSS JOIN subcategory 
CROSS JOIN userdetails 
where ad_description like " + txtsearchkey + " 
and category_id=" + cat + " 
and subcategory_id=" + subcat + " 
and ad_id=" + adtype + " 
and video is not null 
and img_id is not null 
and adType "

來源

2011-04-15 16:15:43

回答

相關問題