0

当单击搜索按钮时,它给了我这个错误('43'附近的语法不正确)43是区域ID,我确保所有表中的区域ID都相同并且政府ID也相同,这是我使用的代码

protected void Button1_Click(object sender, EventArgs e)
{
    //Page.RegisterStartupScript("open", "<script language=javascript>alert('dd')</script>");
    //   Session["conection"] = "Data Source=MEDICONSULT;Initial Catalog=test;Integrated Security=True";
    Session["conection"] = "Data Source=MEDICONSULT;Initial Catalog=test1;Integrated Security=True";

    SqlConnection connection = new SqlConnection(ConfigurationManager.ConnectionStrings["testConnectionString"].ConnectionString);
    connection.Open();
    SqlCommand command = new SqlCommand();
    connection = new SqlConnection((string) Session["conection"]);
    connection.Open();
    SqlDataAdapter da_1 = new SqlDataAdapter(command);
    da_1 = new SqlDataAdapter();
    command = new SqlCommand();
    command.Connection = connection;
    string sql1 = "select Address1,provname from sites where cat_id=2";

    if (addressTextBox.Text != "")
    {
        sql1 = "SELECT provname,address1,LAT,LONG FROM site where cat_id=2 and provname like '%'+@provname+'%'";
        SqlParameter search = new SqlParameter();
        search.ParameterName = "@provname";
        search.Value = addressTextBox.Text.Trim();
        command.Parameters.Add(search);
    }

    if (DropDownList1.SelectedValue != "0")
    {
        sql1 = " SELECT area, address1, provname FROM sites WHERE cat_id=2 and gov_id='" + DropDownList1.SelectedValue + "'";
    }

    if (DropDownList2.SelectedValue != "0" && DropDownList1.SelectedValue != "0")
    {
        sql1 = "SELECT area, address1,provname FROM sites WHERE cat_id=2 and gov_id='" + DropDownList1.SelectedValue + "and area_id='" + DropDownList2.SelectedValue;
    }

    command.CommandText = sql1;
    da_1.SelectCommand = command;
    ds_1 = new DataSet();
    da_1.Fill(ds_1, "sites");

    searchResults.DataSource = ds_1;
    searchResults.DataBind();
    Label1.Text = ds_1.Tables[0].Rows.Count > 0 ? ds_1.Tables[0].Rows.Count.ToString() : "لا يوجد نتائج من البحث الذي ادخلته";
}
4

2 回答 2

1

'您在查询的 and之前and和之后错过了一个单引号。

 sql1 = "SELECT area, address1,provname FROM sites WHERE cat_id=2 and gov_id='" + DropDownList1.SelectedValue + "'"+ " and area_id='" + DropDownList2.SelectedValue+"'";

但我肯定会说请使用参数化查询。

Sql1 = "SELECT area, address1,provname FROM sites WHERE cat_id=2 and gov_id= @gov_id and area_id= @area_id";
SqlCommand cmd = new SqlCommand(sql1, conn);
cmd.Parameters.AddWithValue("@gov_id", DropDownList1.SelectedValue);
cmd.Parameters.AddWithValue("@area_id", DropDownList2.SelectedValue);
于 2013-09-15T10:47:53.343 回答
1

您应该改用参数化查询

这种字符串连接对SQL 注入攻击是开放的。最常见的是,您可能会'在这种连接中忘记一些单引号 ( ),并且要找到忘记这些引号的位置会非常困难。

sql1 = "SELECT area, address1,provname FROM sites WHERE cat_id=2 and gov_id= @gov and area_id= @area_id";
SqlCommand cmd = new SqlCommand(sql1, conn);
cmd.Parameters.AddWithValue("@gov", DropDownList1.SelectedValue);
cmd.Parameters.AddWithValue("@area_id", DropDownList2.SelectedValue);
于 2013-09-15T10:50:23.503 回答