1. 首頁
  2. 問答
  3. 搜索查詢中'userId'附近的語法不正確

搜索查詢中'userId'附近的語法不正確

2014-12-08 46 views
1

我有一個搜索查詢正在拋出此錯誤Incorrect syntax near 'userId',我不知道爲什麼以及如何解決它。它正在影響其他搜索查詢中'userId'附近的語法不正確

我的SQL查詢

oCommand = new SqlCommand(@"Select us.sFieldValue5, u.sUserName, d.sName, TB_USER_CUSTOMINFO.sFieldValue2, u.nUserIdn 
From TB_USER u(nolock) 
left join [TB_USER_CUSTOMINFO] us(nolock) on us.nUserIdn = u.nUserIdn 
left join TB_USER_CUSTOMINFO on u.nUserIdn = TB_USER_CUSTOMINFO.nUserIdn 
left join TB_USER_DEPT d(nolock) on d.nDepartmentIdn = u.nDepartmentIdn 
where (u.sUserName like '%" + txtUsername.Text + @"%' or '" + txtUsername.Text + @"' = '') 
and (us.sFieldValue5 like '%" + txtUserID.Text + @"%' or '" + txtUserID.Text + @"' = '') 
and (d.sDepartment like '%" + sDepartment + @"%' or '" + sDepartment + @"' = '--Select Department--') 
and (u.nUserIdn = " + userId + @" or " + txtusersID.Text + @" = 0)", oConnection);

來源

2014-12-08 IT Forward

+4

請使用參數化查詢來避免構建像這樣的查詢。它使您的代碼更安全,更易於閱讀。 – 2014-12-08 07:28:23

+0

最後一行是userId的變量類型是什麼? – 2014-12-08 07:43:14

+0

字符串生成器,格式化程序,參數化查詢,請使用這個親愛的,使您的代碼成熟... – 2014-12-08 07:46:27

回答

4

開始與參數化查詢。你正在做的事情是非常危險的,如果有人在文本框中包含一個單引號,就根本無法工作。 (例如txtUserID.Text =「我現在要崩潰了」)

oCommand = new SqlCommand(@"Select us.sFieldValue5, u.sUserName, d.sName, TB_USER_CUSTOMINFO.sFieldValue2, u.nUserIdn 
      From TB_USER u(nolock) 
      left join [TB_USER_CUSTOMINFO] us(nolock) on us.nUserIdn = u.nUserIdn 
      left join TB_USER_CUSTOMINFO on u.nUserIdn = TB_USER_CUSTOMINFO.nUserIdn 
      left join TB_USER_DEPT d(nolock) on d.nDepartmentIdn = u.nDepartmentIdn 
      where (u.sUserName like ('%' + @UserName + '%') or @UserName = '') 
      and (us.sFieldValue5 like ('%' + @UserId + '%') or @UserId = '') 
      and (d.sDepartment like ('%' + @Department + '%') or @Department = '--Select Department--') 
      and (u.nUserIdn = @UserId or @UserId2 = 0)", oConnection);  

oCommand.Parameters.AddWithValue("@UserName", txtUsername.Text) 
//etc.

來源

2014-12-08 07:50:50

0

除了在代碼的最後一行用戶名,你需要的OR操作之前指定的列名。

檢查以下更正後的代碼:

oCommand = new SqlCommand(@"Select us.sFieldValue5, u.sUserName, d.sName, TB_USER_CUSTOMINFO.sFieldValue2, u.nUserIdn 
       From TB_USER u(nolock) 
       left join [TB_USER_CUSTOMINFO] us(nolock) on us.nUserIdn = u.nUserIdn 
       left join TB_USER_CUSTOMINFO on u.nUserIdn = TB_USER_CUSTOMINFO.nUserIdn 
       left join TB_USER_DEPT d(nolock) on d.nDepartmentIdn = u.nDepartmentIdn 
       where (u.sUserName like '%" + txtUsername.Text + @"%' or '" + txtUsername.Text + @"' = '') 
       and (us.sFieldValue5 like '%" + txtUserID.Text + @"%' or '" + txtUserID.Text + @"' = '') 
       and (d.sDepartment like '%" + sDepartment + @"%' or '" + sDepartment + @"' = '--Select Department--') 
       and (u.nUserIdn = " + userId + @" or u.nUserIdn = " + txtusersID.Text + @")", oConnection);

來源

2014-12-08 07:36:53

+0

當以字符串形式運行時,不會給出以下語法:'(u.nUserIdn = SOMETHING或u.nUserIdn = SOMETHING = 0)' – 2014-12-08 07:39:58

+0

已更新查詢! – 2014-12-08 07:42:24

相關問題

 相關問題