0
我們有一個表單傳遞3個參數fname,lname,hiredate到另一個頁面,用於檢查某個人是否是公司的員工。如何檢查員工是否註冊以獲得福利?
下面的代碼根據這3個參數進行驗證。
Dim sqlstr As String = "SELECT fname,lname,hiredate (SELECT COUNT(*) FROM Comp WHERE comp.emp_ID = e.emp_ID) AS [exists], b.* FROM dbo.EMP e LEFT OUTER JOIN comp b ON e.emp_id=b.emp_id WHERE e.fname Like '%" & Request.QueryString("fname") & "%' And e.lname Like '%" & Request.QueryString("lname") & "%' And e.hiredate = '" & Request.QueryString("hiredate") & "'"
如果檢查證實此人確實是僱員,下一個代碼檢查他/她的資格限額獲得收益:
If myDS.Tables(0).Rows.Count > 0 Then
Dim listOfBenefits = New List(Of String) ({ _
"CT07B", "CT081", "CT083", "SG09A", "SG10", "SC11A", "SG23", "SG23A", "SG27" _
})
If Not listOfBenefits.Contains(txtBenefits.Text) Then
blMsg.Text = "This employee is not eligible to receive any of the listed benefits yet."
End If
End If
這個作品非常好爲止。
現在,我們正在嘗試添加另一張支票來驗證特定員工是否已獲得任何福利註冊。
如果員工沒有註冊任何福利,那麼不需要檢查他或她的資格。
另一方面,如果員工已經註冊了一些福利,那麼我們檢查他/她是否有資格獲得上述任何列出的福利。
我的支票到目前爲止不起作用,以確定員工是否註冊了任何福利被忽略。
我在做什麼錯?
這是更新的代碼,其中包括檢查福利註冊。
Dim sqlstr As String = "SELECT fname,lname,hiredate, (SELECT COUNT(*) FROM Comp WHERE comp.emp_ID = e.emp_ID) AS [exists], b.* FROM dbo.EMP e LEFT OUTER JOIN comp b ON e.emp_id=b.emp_id WHERE e.fname Like '%" & Request.QueryString("fname") & "%' And e.lname Like '%" & Request.QueryString("lname") & "%' And e.hiredate = '" & Request.QueryString("hiredate") & "'"
If myDS.Tables(0).Rows.Count > 0 Then
' Ok, this individual is an employee, let's check to see if s/he has registered for any benefits.
benefitSQL = "SELECT fname, lname, (SELECT COUNT(*) FROM benefits WHERE benefits.emp_ID = e.emp_ID) AS [exists], b.* FROM dbo.EMP e LEFT OUTER JOIN benefits b ON e.emp_id=b.emp_id "
If CInt(exists.Value) > 0 Then
' Then employee has some benefits. Now, check whether one of those benefits is on the list below. '
Dim listOfBenefits = New List(Of String) ({ _
"CT07B", "CT081", "CT083", "SG09A", "SG10", "SC11A", "SG23", "SG23A", "SG27" _
})
If Not listOfBenefits.Contains(txtBenefits.Text) Then
lblMsg.Text = "This employee is not eligible to receive any of the listed benefits yet."
End If
Else
lblMsg.Text = "This employee has not registered for any benefits yet."
End If
End If
的SQL,格式化:
SELECT
fname,
lname,
hiredate,
(
SELECT
COUNT(*)
FROM
Comp
WHERE
comp.emp_ID = e.emp_ID
) AS [exists],
b.*
FROM
dbo.EMP e
LEFT OUTER JOIN comp b ON e.emp_id = b.emp_id
WHERE
e.fname LIKE %@fname And e.lname LIKE %@lname%
AND
e.hiredate = @hiredate
如何執行福利查詢e xecutescalar或executableql。 –
你的代碼是開放的SQL注入攻擊。 – Dai
我顯示的代碼只是一段非常長的代碼片段。 我只是希望有人能看到我的邏輯是否關閉。 以後我可以擔心注射。 – Kenny