c# - 如何使用 C# 实现对特定年份和数量的搜索

Question

这是一个 SQL 数据库的小演示，可以在其中从 SQL 服务器添加、更新删除成员。

一个 SQL Server DB 中有两张表，一张是“members”，第二张是“overview”。

• 在会员中有不同的ID栏和会员个人信息，如姓名、地址电话等。
• 总而言之，只有 dID、年份和金额三列。

有一个单一的窗体，语言是 c#，项目是在 Visual Studio 2010 中构建的，当然数据库在 SQL Server 2010 中。

Windows 窗体有一个“重置、插入、更新和删除”按钮。

• 除了 dID 文本框外，还有一个按钮可以插入不同的 ID，单击“搜索”按钮后，通过填写所有出现姓名地址电话的文本框，显示有关成员的最后一个条目。这提供了可以查看成员完整信息并且可以进行更改或可以从 dB 中删除更改的功能。
• 特别是有两个文本框，分别是Year & Amount，表示会员在某一年已经支付了一定的金额。

但正如我在文本框中提到的，您只能看到最后输入的内容。我想要实现的功能是，在插入 x 人的 dID 之后，我只能在能够插入的年份文本框中说任何前一年和新闻搜索，通常应该用信息填充所有文本框，并且数量文本框应该显示来自分贝的条目，根据我输入的年份有多少金额，或者没有任何内容，这意味着可能是会员在某一年没有付款。

我需要帮助以编程方式实现此逻辑，因此我想请求帮助。

目前的方案如下：

using System; 
using System.Collections.Generic; 
using System.ComponentModel; 
using System.Data; 
using System.Data.SqlClient;
using System.Drawing; 
using System.Linq; 
using System.Text; 
using System.Windows.Forms;

namespace SQLDatabase 
{
     public partial class SQLDBDisplay : Form
     {
     SqlConnection con = new SqlConnection("Data Source=JG-PC\\SQLEXPRESS;Initial Catalog=TEST;Integrated Security=True");

     public SQLDBDisplay()
     {
         InitializeComponent();
     }
     SqlDataAdapter da;
     DataSet ds = new DataSet();


     private void btnSearch_Click(object sender, EventArgs e)
     {
         SqlDataReader reader;
         SqlCommand cmd = new SqlCommand();
         try
         {
             string sql = "SELECT * FROM members where dID =  '" + txtdID.Text + "' ";
             txtYear.Text = sql;
             cmd.Connection = con;
             cmd.CommandText = sql;
             con.Open();
             reader = cmd.ExecuteReader();
             while (reader.Read())
             {
                 txtID.Text = reader["ID"].ToString();
                 txtName.Text = reader["Name"].ToString();
                 txtAddress.Text = reader["Address"].ToString();
                 txtMobile.Text = reader["Mobile"].ToString();
                 txtEmail.Text = reader["Email"].ToString();
                 txtdID.Text = reader["dID"].ToString();

             }
             con.Close();

             sql = "SELECT * FROM Overview where dID =  '" + txtdID.Text + "' ";
             txtYear.Text = txtYear.Text + " : " + sql;
             cmd.Connection = con;
             cmd.CommandText = sql;
             con.Open();
             reader = cmd.ExecuteReader();
             while (reader.Read())
             {
                 txtYear.Text = reader["Year"].ToString();
                 txtAmount.Text = reader["Amount"].ToString();
                 txtdID.Text = reader["dID"].ToString();

             }
             con.Close();
         }
         catch (Exception ex)
         {
             MessageBox.Show(ex.Message.ToString());
         }
     }

     private void btnReset_Click(object sender, EventArgs e)
     {
         txtdID.Text = ""; txtName.Text = ""; txtAddress.Text = "";
         txtMobile.Text = ""; txtEmail.Text = ""; txtYear.Text = "";
         txtAmount.Text = "";
     }

     private void btnInsert_Click(object sender, EventArgs e)
     {
         SqlCommand cmd = new SqlCommand();
         string Sql = "INSERT INTO members (dID, Name, Address, Email, Mobile) VALUES ( '" + txtdID.Text+ "','" + txtName.Text + "','"
+ txtAddress.Text + "', '" + txtEmail.Text + "', '" + txtMobile.Text + "')";
         cmd.CommandText = Sql;
         cmd.Connection = con;
         con.Open();
         cmd.ExecuteNonQuery();
         con.Close();
         Sql = "INSERT INTO Overview (dID, Year, Amount) VALUES ('"+ txtdID.Text +"' ,'" + txtYear.Text + "','" + txtAmount.Text +
"')";
         cmd.CommandText = Sql;
         cmd.Connection = con;
         con.Open();
         cmd.ExecuteNonQuery();
         con.Close();
         MessageBox.Show("Record Inserted Scuessfully!!!");
         for (int i = 0; i < this.Controls.Count; i++)
         {
             if (this.Controls[i] is TextBox)
             {
                 this.Controls[i].Text = "";
             }
         }
     }

     private void btnUpdate_Click(object sender, EventArgs e)
     {
          try
         {
             SqlCommand cmd = new SqlCommand();
             string Sql = "Update members set Name = '" + txtName.Text + "', Address = '" + txtAddress.Text + "', Email = '" +
txtEmail.Text + "', Mobile = '" + txtMobile.Text + "'  WHERE dID = '"
+ txtdID.Text + "'";
             cmd.CommandText = Sql;
             cmd.Connection = con;
             con.Open();
             cmd.ExecuteNonQuery();
             con.Close();

             Sql = "Update overview set Year = '" + txtYear.Text + "', Amount = '" + txtAmount.Text + "' WHERE dID = '"+ txtdID.Text+"'";
             cmd.CommandText = Sql;
             cmd.Connection = con;
             con.Open();
             cmd.ExecuteNonQuery();
             MessageBox.Show("Data Scuessfully Updated");
             con.Close();
         }
         catch (Exception error)
         {
             MessageBox.Show(error.ToString());
         }

          for (int i = 0; i < this.Controls.Count; i++)
          {
              if (this.Controls[i] is TextBox)
              {
                  this.Controls[i].Text = "";
              }
          }
     }

     private void btnDelete_Click(object sender, EventArgs e)
     {
         SqlCommand cmd = con.CreateCommand();
         cmd.CommandType = CommandType.Text;
         cmd.CommandText = "DELETE FROM members WHERE dID = '"+ txtdID.Text +"'";
         con.Open();
         cmd.ExecuteNonQuery();

         cmd.CommandText = "DELETE FROM overview WHERE dID = '" + txtdID.Text + "'";
         cmd.ExecuteNonQuery();
         da = new SqlDataAdapter(cmd);

         MessageBox.Show("Record Scuessfully Deleted !");
         con.Close();

         for (int i = 0; i < this.Controls.Count; i++)
         {
             if (this.Controls[i] is TextBox)
             {
                 this.Controls[i].Text = "";
             }
         }
     }


     private void btnClose_Click(object sender, EventArgs e)
     {
         Application.Exit();
     }

 } }

Answer 1

您需要对SELECT列进行分组Amount。您的问题的一个简单答案是修改您的第二个选择查询，如下所示：

sql = "SELECT Year, dID, SUM(Amount) as Amount FROM Overview where dID =  '" + txtdID.Text + "' AND Year = " + txtYear.Text + "GROUP BY amount";

可能，您想使用txtYear.TextSQL 参数的值，所以：

txtYear.Text = sql;

和

txtYear.Text = txtYear.Text + " : " + sql;

在您的代码中没有太多意义。

当然，这不是正确的方法，因为它容易发生SQL 注入。我建议您使用SQL 存储过程，这对于 SQL 注入来说绝对安全。

对代码质量的另一个改进是您应该使用using语句来包含SQLConnection、SQLCommand和SQLDataReader对象的初始化。

Answer 2

为了给人们对参数和 sql 注入的评论添加一个解决方案，我倾向于在连接到任何数据库时使用下面的代码。

using(SqlConnection connection = new SqlConnection("YOUR CONNECTION STRING"))
{
    try
    {
        using(SqlCommand command = new SqlCommand())
        {
            command.CommandText = "SELECT * FROM members where dID = @MyId";
            command.Connection = connection;

            // Set the SqlDbType to your corresponding type
            command.Parameters.Add("@MyId", SqlDbType.VarChar).Value = txtdID.Text;

            connection.Open();

            SqlDataReader reader = command.ExecuteReader();

            while (reader.Read())
            {
                txtID.Text = reader["ID"].ToString();
                txtName.Text = reader["Name"].ToString();
                txtAddress.Text = reader["Address"].ToString();
                txtMobile.Text = reader["Mobile"].ToString();
                txtEmail.Text = reader["Email"].ToString();
                txtdID.Text = reader["dID"].ToString();

            }
        }
    }
    finally
    {
        connection.Close();
    }
 }