'00'附近的語法不正確

我是新的asp & sql服務器。我在sql查詢中遇到問題。'00'附近的語法不正確

string obal ; 
     decimal _obalss = 0; 
     decimal obalss = 0; 
     sconnection c = new sconnection(); 
     string cus_id = Session["cusid"].ToString(); 
     DateTime maxdate = DateTime.Parse(fromdt.Text, new System.Globalization.CultureInfo("en-US")); 
     string mdate = maxdate.ToString(); 
     string query_sl = "select sum(amount) as amount from sale where cusid = " + cus_id + " and invdate < " + maxdate + " group by cusid"; 
     SqlDataReader dr = c.reader(query_sl); 
     if (dr.Read()) 
     { 
      decimal.TryParse(dr["amount"].ToString(), out _obalss); 
      obalss = _obalss; 
     } 
     else 
     { 
      obalss = 0; 
     } 
      dr.Close(); 
      dr.Dispose();

來源

2011-08-09 Shailendra R Kumar

快速注：這有*不*做ASP.NET和* *的一切做與SQL 。 –

放置斷點並查看生成到query_sl字符串變量中的哪個查詢，然後將其張貼到此處以便我們可以看到實際執行了哪個查詢 – sll

string query_sl = "select sum(amount) as amount from sale where cusid = " + cus_id + " and invdate < " + maxdate + " group by cusid";

maxdate是一個日期，你必須把它放在單引號。更好的是你應該使用參數化的SQL查詢，否則你很容易受到SQL注入攻擊。怎麼樣是這樣的：

string query_sl = "select sum(amount) as amount from sale where cusid = @CUSID and invdate < @MAXDATE group by cusid"; 
using(SqlCommand cmd = new SqlCommand(query_sl, c)) 
{ 
    cmd.Parameters.Add(new SqlParameter("@CUSID", SqlDbType.Int)).Value = cus_id; 
    cmd.Parameters.Add(new SqlParameter("@MAXDATE", SqlDbType.DateTime)).Value = maxdate; 
    ... 
}

來源

2011-08-09 18:02:58 BrokenGlass

+1用於參數化查詢 – Curt

參數化查詢至少爲+1。 – MRAB

string query_sl = "select sum(amount) as amount from sale where cusid = " + cus_id + " and invdate < '" + maxdate + "' group by cusid";

注意周圍的maxDate單引號...

來源

2011-08-09 18:04:56

'00'附近的語法不正確

回答

相關問題