1

我的 axps.cs 页面中有以下代码......并且我在我的 sql 查询中遇到了 fetchin 会话值的问题:

connection.Open();
string sqlStatement = "SELECT date as 'Date',name as 'Name',gender as 'Gender',
                       age as 'Age',addr as 'Address',perAddr as 'Permanent Address',
                       pno as 'Phone No',altName as 'Alternate Contact Person',
                       altPno as 'Alternate Person Pno',fever as 'Duration Of Fever',
                       locType as 'Location Type',patType as 'Patient Type',
                       radTreat as 'Radical Treatment Given?', followup as 'Treatment Status',
                       taluk as 'Taluk',phc as 'PHC',malType as 'Malaria Type',
                       death as 'Death Status' FROM patients 
                       WHERE (**date=Session['selDate'] and name=Session['selName']**)";
SqlCommand sqlCmd = new SqlCommand(sqlStatement, connection);
SqlDataAdapter sqlDa = new SqlDataAdapter(sqlCmd);
DataTable dt = new DataTable();
4

1 回答 1

0

好吧,请查看此链接以了解会话项目的工作原理。简要地:

string firstName = (string)(Session["First"]);
string lastName = (string)(Session["Last"]);
string city = (string)(Session["City"]);

更多:不要手动编写查询,而是使用查询参数;这将防止Sql 注入和由于类型转换(日期/时间、具有不同小数分隔符的浮点数等)而引起的许多麻烦。
所以你应该试试

string sqlStatement = "SELECT date as 'Date',name as 'Name', ....
                       WHERE date=@pData AND name=@pName";
SqlCommand sqlCmd = new SqlCommand(sqlStatement, connection);
sqlCmd.Parameters.AddWithValue("pData", (DateTime)Session["selDate"]);
sqlCmd.Parameters.AddWithValue("pName", (String)Session["selName"]);
于 2013-09-04T05:43:53.803 回答