public partial class HardwareInformation : BaseForm
{
string sWhere = "";
public HardwareInformation()
{
InitializeComponent();
}
private void button1_Click(object sender, EventArgs e)
{
SqlConnection objConn1 = new SqlConnection("Data Source=192.168.0.203;Initial Catalog=costing;User ID=sa;Password=Spareage@123");
if ( searchtextbox.Text.Trim() != "" )
{
sWhere = "Where Srno '" + searchtextbox.Text;
}
SqlDataAdapter objAdapter = new SqlDataAdapter(@"Select distinct [Srno] ,[Employee Name] , [Department] , [Thin Client] , [Desktop] , [Lcd] , [Moniter] , [Printer] , [Ups] from [dbo].[HardwareDetail] " + sWhere + "", objConn1);
DataTable objTable = new DataTable();
objAdapter.Fill(objTable);
dataGridView1.DataSource = objTable;
dataGridView1.Columns[0].Width = 25;
for (int i = 1; i < dataGridView1.Columns.Count; i++)
{
dataGridView1.Columns[i].ReadOnly = true;
}
}
问问题
1926 次
3 回答
2
利用
"Where Srno = '" + searchtextbox.Text + "'";
您忘记了在 TextBox 文本之后=签名Srno和关闭单引号。
在创建 SqlDataAdapter 的行中,最后一次使用
"[Ups] from [dbo].[HardwareDetail] " + sWhere, objConn1);
顺便说一句,请注意SQLInjection。
于 2012-05-24T12:02:24.587 回答
1
文本框文本后缺少一个 = 符号和一个结束引号。因此应该是
"Where Srno = '" + searchtextbox.Text +"'";
于 2012-05-24T12:04:41.887 回答
1
您的代码容易受到SQL 注入攻击。你不应该在没有清理的情况下将用户输入直接插入到你的 SQL 中。您确实需要更改为参数化查询:
SqlDataAdapter objAdapter = new SqlDataAdapter(@"Select distinct [Srno] ,[Employee Name] , [Department] , [Thin Client] , [Desktop] , [Lcd] , [Moniter] , [Printer] , [Ups] from [dbo].[HardwareDetail] WHERE Srno = @srno", objConn1);
// Change the length and dbtype to match your needs
objAdapter.Parameters.Add("@srno", SqlDbType.NChar, 15, searchtextbox.Text);
DataTable objTable = new DataTable();
objAdapter.Fill(objTable);
这使您免受注入漏洞的影响,并且无需转义引号和其他特殊字符。
于 2012-05-24T12:20:00.947 回答