1

看来我是个白痴,试图用 C# 对 SQL 数据库执行简单的查询。这是查询,我正在尝试执行:

 _query = "SELECT PC.SN, User.Name + ' ' + User.Family as AssignedTo " +  
          "FROM PC LEFT JOIN Users ON PC.USERID = Users.ID " + 
          "WHERE PC.Type = '" + AssetTypeCB.SelectedItem.ToString() + "'";

问题是我收到“无法在 nvarchar 上调用方法”错误消息。你知道可能是什么问题吗?

4

3 回答 3

7

您的查询似乎是错误的。您需要更改User.NameUsers.Name, 等。正确的查询是:

 _query = "SELECT PC.SN, Users.Name + ' ' + Users.Family as AssignedTo " +
          "FROM PC LEFT JOIN Users ON PC.USERID = Users.ID " + 
          "WHERE PC.Type = '" + AssetTypeCB.SelectedItem.ToString() + "'";

另外,请允许我建议对您的代码使用参数化查询。可以告诉你为什么应该这样做。

于 2013-01-24T11:05:42.700 回答
0

此查询会将您暴露给 SQL 注入攻击。您应该将其转换为准备好的语句,但实际错误来自您使用表名 Users。你有 SELECT ... User应该是用户,你没有得到错误的列名错误的原因是因为 User 是一个保留关键字,因此 SQL Server 会给你这个特定的错误,除非你用 [] 分隔表名. 下面的代码应该修复它。

string _query = "SELECT PC.SN, Users.Name + ' ' + Users.Family as AssignedTo FROM PC LEFT JOIN Users ON PC.USERID = Users.ID WHERE PC.Type = @Type";

SqlConnection conn = new SqlConnection("YOUR_CONNECTION_STRING");
SqlCommand cmd = new SqlCommand(_query, connection);
cmd.Parameters.AddWithValue("Type", AssetTypeCB.SelectedItem.Value);
DataTable dt = new DataTable();
SqlDataAdapter adp = new SqlDataAdapter(cmd);
adp.Fill(dt);

如果您的表名实际上是用户,那么此代码将修复错误

string _query = "SELECT PC.SN, [User].Name + ' ' + [User].Family as AssignedTo FROM PC LEFT JOIN [User] ON PC.USERID = [User].ID WHERE PC.Type = @Type";

SqlConnection conn = new SqlConnection("YOUR_CONNECTION_STRING");
SqlCommand cmd = new SqlCommand(_query, connection);
cmd.Parameters.AddWithValue("Type", AssetTypeCB.SelectedItem.ToString());
DataTable dt = new DataTable();
SqlDataAdapter adp = new SqlDataAdapter(cmd);
adp.Fill(dt);

更多关于 SQL 注入攻击

假设 smooene 在您的原始语句中输入了以下值。

'; DELETE FROM Users; --

当您执行 SQL 语句时,SQL Server 会将其解释为:

SELECT PC.SN, User.Name + ' ' + User.Family as AssignedTo  
FROM PC LEFT JOIN Users ON PC.USERID = Users.ID 
WHERE PC.Type = ''; DELETE FROM Users; --'

该语句是完全有效的,并且考虑到您的用户拥有的权限级别,这可能会从用户表中删除所有记录。使用准备好的语句有助于阻止这种情况的发生。

于 2013-01-24T11:21:19.360 回答
0

我认为最好在查询中添加参数

using System;
using System.Data;
using System.Data.SqlClient;

class ParamDemo
{
    static void Main()
    {
        // conn and reader declared outside try
        // block for visibility in finally block
        SqlConnection conn   = null;
        SqlDataReader reader = null;

        string inputCity = "London";

        try
        {
            // instantiate and open connection
            conn =  new 
                SqlConnection("Server=(local);DataBase=Northwind;Integrated Security=SSPI");
            conn.Open();

            // don't ever do this
            // SqlCommand cmd = new SqlCommand(
            // "select * from Customers where city = '" + inputCity + "'";

            // 1. declare command object with parameter
            SqlCommand cmd = new SqlCommand(
                "select * from Customers where city = @City", conn);

            // 2. define parameters used in command object
            SqlParameter param  = new SqlParameter();
            param.ParameterName = "@City";
            param.Value         = inputCity;

            // 3. add new parameter to command object
            cmd.Parameters.Add(param);

            // get data stream
            reader = cmd.ExecuteReader();

            // write each record
            while(reader.Read())
            {
                Console.WriteLine("{0}, {1}", 
                    reader["CompanyName"], 
                    reader["ContactName"]);
            }
        }
        finally
        {
            // close reader
            if (reader != null)
            {
                reader.Close();
            }

            // close connection
            if (conn != null)
            {
                conn.Close();
            }
        }
    }
}
于 2013-01-24T11:08:22.020 回答