我想添加一个简单的SELECT语句在我的C#code。样品看起来像下面。类似的y FNAME该值来自参数。 //从myTable的选择LNAME,其中FNAME =Y
下面就是我米做。我米显然让SQL异常。如何纠正呢?谢谢你。
字符串strOrdersOrigSQL =SELECT姓氏FROM雇员;
//连接这些与去哪儿的条款默认的SQL语句,并添加排序依据条款
strOrdersSQL = strOrdersOrigSQL +,其中名字=+strFname;
解决方案
不过,这是可以做到的。
字符串strOrdersOrigSQL =SELECT姓氏FROM雇员;
//连接这些与去哪儿的条款默认的SQL语句,并添加排序依据条款
strOrdersSQL = strOrdersOrigSQL +,其中名字='+ strFname +';
这是没有这样做,因为它可能会受到SQL注入的正确方法。使用参数化查询来代替。
I want to add a simple select statement in my C# code. Sample looks like below. The value like y in fname comes from a parameter. //select lname from myTable where fname = 'y'
Here's what I m doing. I m obviously getting Sql Exception. How do I correct it? Thanks.
string strOrdersOrigSQL = "SELECT LastName FROM Employees";
// Concatenate the default SQL statement with the "Where" clause and add an OrderBy clause
strOrdersSQL = strOrdersOrigSQL + "where FirstName ="+ 'strFname';
解决方案
But it can be done as
string strOrdersOrigSQL = "SELECT LastName FROM Employees";
// Concatenate the default SQL statement with the "Where" clause and add an OrderBy clause
strOrdersSQL = strOrdersOrigSQL + " where FirstName ='"+ strFname + "'";
This is not proper way of doing it since it can be affected by SQL Injection. Use parameterised queries instead.