-1

我可以得到一些帮助吗?我有一个查询,如下所示。现在它显示支票和现金。但我希望它只显示现金查询。是的,我相信我可以编辑它(现在它容易受到 SQL 注入的影响) 

using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Windows.Forms;
using System.Data.SqlClient;


namespace MyTestData
{
public partial class frmCollection : Form
{
    public frmCollection()
    {
        InitializeComponent();
    }


    private void dtpFrom_ValueChanged(object sender, EventArgs e)
    {

    }

    private void btnExtract_Click(object sender, EventArgs e)
    {

        SqlConnection objConn = new SqlConnection("MYCONNECTION STRING ETCETC");


        SqlCommand objCmd = new SqlCommand("SELECT CONVERT(char(10),PaidDate,3)
 AS PaidDate,InvoiceNo,PayerCode,CollectedFee,
( CASE ReceiptTypeID WHEN 'Cash' THEN 'CASH' WHEN 'Check' THEN 'CHEQUE' END ) 
AS ReceiptTypeID FROM InvoicePayment 
WHERE (PaidDate >= CONVERT(datetime, '" + dtpFrom.Text + "', 105)) AND (PaidDate <= CONVERT(datetime, '" + dtpTo.Text + "', 105))", objConn);

        SqlDataReader objReader;
        objReader = objCmd.ExecuteReader();

        System.IO.FileStream fs = new System.IO.FileStream("C:\\CMSExportedData\\Collection-" + DateTime.Now.ToString("dd-MM-yyyy") + ".txt", System.IO.FileMode.Create);
        System.IO.StreamWriter sw = new System.IO.StreamWriter(fs, System.Text.Encoding.Default);

        int count = 0;
        while (objReader.Read())
        {

            for (int i = 0; i < 5; i++)
            {
                if (!objReader.IsDBNull(i))
                {
                    string s;
                    s = objReader.GetDataTypeName(i);
                    //MessageBox.Show(s);
                    if (objReader.GetDataTypeName(i) == "char")
                    {
                        sw.Write(objReader.GetString(i));
                    }
                    else if (objReader.GetDataTypeName(i) == "money")

                    {
                        sw.Write(objReader.GetSqlMoney(i).ToString());
                    }
                    else if (objReader.GetDataTypeName(i) == "nvarchar")
                    {
                        sw.Write(objReader.GetString(i));
                    }
                    else if (objReader.GetDataTypeName(i) == "varchar")
                    {
                        sw.Write(objReader.GetString(i));
                    }

                }
                if (i < 4)
                {
                    sw.Write("\t");
                }

            }
            count = count + 1;
            sw.WriteLine();

        }
        sw.Flush();
        fs.Close();
        objReader.Close();
        objConn.Close();
        MessageBox.Show(count + " records exported successfully.");
        this.Close();

    }

    private void frmCollection_Load(object sender, EventArgs e)
    {

    }

    private void dtpFrom_ValueChanged_1(object sender, EventArgs e)
    {

    }
}

}

编辑:这是表结构:

在此处输入图像描述

以下是一些示例数据:

在此处输入图像描述

4

2 回答 2

3 
SqlCommand objCmd = new SqlCommand("SELECT CONVERT(char(10),PaidDate,3) AS PaidDate,InvoiceNo,PayerCode,CollectedFee FROM InvoicePayment WHERE (PaidDate >= CONVERT(datetime, '" + dtpFrom.Text + "', 105)) AND (PaidDate <= CONVERT(datetime, '" + dtpTo.Text + "', 105)) AND ReceiptTypeID = 'Cash'", objConn);

请注意我如何删除案例以显示它是哪种类型,并在 WHERE 语句中添加了一个子句。

还要尽量避免在查询中连接字符串,这会使您容易受到 SQL 注入的攻击。尝试使用类似的参数;

SqlCommand objCmd = new SqlCommand("SELECT CONVERT(char(10),PaidDate,3) AS PaidDate,InvoiceNo,PayerCode,CollectedFee FROM InvoicePayment WHERE (PaidDate >= CONVERT(datetime, @PAIDDATEFROM, 105)) AND (PaidDate <= CONVERT(datetime, @PAIDDATETO, 105)) AND ReceiptTypeID = 'Cash'", objConn);

SqlCommand.Parameters.Add("@PAIDDATEFROM", SqlDbType.DateTime).Value = dtpFrom.Text;
SqlCommand.Parameters.Add("@PAIDDATETO", SqlDbType.DateTime).Value = dtpTo.Text;
于 2012-09-26T07:36:55.323 回答
2

我只希望看到现金

然后像这样WHEN 'Check' THEN 'CHEQUE'CASE表达式中删除:

SELECT 
  CONVERT(char(10),PaidDate,3) AS PaidDate,InvoiceNo,
  PayerCode, CollectedFee, 
  (CASE ReceiptTypeID 
     WHEN 'Cash'  THEN 'CASH'  
  END ) AS ReceiptTypeID 
...

更新:

SELECT 
  CONVERT(char(10), PaidDate,3) AS PaidDate,
  InvoiceNo, CollectedFee, upper(ReceiptTypeID) AS ReceiptTypeID 
FROM @Invoices 
WHERE (PaidDate >= CONVERT(datetime, '20010101', 105))
  AND (PaidDate <= CONVERT(datetime, '20120101', 105))
  AND ReceiptTypeID IS NOT NULL
  AND lower(ReceiptTypeID) <> 'cheque'

演示

于 2012-09-26T07:37:13.607 回答