0

我正在尝试在以下搜索功能中实现 ORDER BY 功能:

 public DataSet SearchTable()
    {

        string sql1 = "SELECT * from dbo.Documents1 order by Received_Date";

        bool flag = false;

        if (!txtRef.Text.Equals(""))
        {
            if (flag == false)
            {
                sql1 = sql1 + " where Ref LIKE N'%" + txtRef.Text + "%'";
                flag = true;

            }
            else
            {
                sql1 = sql1 + "  and Ref LIKE N'%" + txtRef.Text + "%'";
            }
        }

        if (!txtSubject.Text.Equals(""))
        {
            if (flag == false)
            {
                sql1 = sql1 + " where Subject LIKE N'%" + txtSubject.Text + "%'";
                flag = true;

            }
            else
            {
                sql1 = sql1 + "  and Subject LIKE N'%" + txtSubject.Text + "%'";
            }
        }

我收到以下错误:

Incorrect syntax near the keyword 'where'.

知道如何解决吗?提前致谢。

4

3 回答 3

2

您在 Where 之前订购。这不是正确的 SQL 语法。

试试下面的方法:

public DataSet SearchTable()
    {

        string sql1 = "SELECT * from dbo.Documents1";

        bool flag = false;

        if (!txtRef.Text.Equals(""))
        {
            if (flag == false)
            {
                sql1 = sql1 + " where Ref LIKE N'%" + txtRef.Text + "%'";
                flag = true;

            }
            else
            {
                sql1 = sql1 + "  and Ref LIKE N'%" + txtRef.Text + "%'";
            }
        }

        if (!txtSubject.Text.Equals(""))
        {
            if (flag == false)
            {
                sql1 = sql1 + " where Subject LIKE N'%" + txtSubject.Text + "%'";
                flag = true;

            }
            else
            {
                sql1 = sql1 + "  and Subject LIKE N'%" + txtSubject.Text + "%'";
            }
        }

        sql1 = sql1 + "  order by Received_Date";
于 2013-10-02T09:08:26.547 回答
0

我创建了一个单独的方法来返回 SQL 查询。“Order By”子句在返回查询之前被取出并附加。还从第一个块中删除了“其他”条件,因为它总是为真。

public string GetSQL()
        {

            string sql1 = "SELECT * from dbo.Documents1";

            bool flag = false;

            if (!txtRef.Text.Equals(""))
            {
                sql1 = sql1 + " where Ref LIKE N'%" + txtRef.Text + "%'";
                flag = true;
            }

            if (!txtSubject.Text.Equals(""))
            {
                if (flag == false)
                {
                    sql1 = sql1 + " where Subject LIKE N'%" + txtSubject.Text + "%'";
                    flag = true;

                }
                else
                {
                    sql1 = sql1 + "  and Subject LIKE N'%" + txtSubject.Text + "%'";
                }
            }

            sql1 = sql1 + " order by Received_Date";

            return sql1;
        }
于 2013-10-02T09:37:33.597 回答
0

您拥有的代码容易受到SQL 注入的攻击。

为了避免这种情况,您应该尽可能使用SqlParameter。然后代码可能如下所示:

    public DataSet SearchTable()
    {
        string sqlStatement = "SELECT * from dbo.Documents1";
        bool flag = false;

        var reference = "something"; // txtRef.Text
        var subject = "something else"; // txtSubject.Text

        var sqlCommand = new SqlCommand();

        if (!string.IsNullOrWhiteSpace(reference))
        {
            var referenceParameter = new SqlParameter("@referenceParam", SqlDbType.VarChar, 100) { Value = reference };
            sqlCommand.Parameters.Add(referenceParameter);
            sqlStatement += AddWhereLike("Ref", "@referenceParam", flag);
            flag = true;
        }

        if (!string.IsNullOrWhiteSpace(subject))
        {
            var subjectParameter = new SqlParameter("@subjectParam", SqlDbType.VarChar, 100) { Value = reference };
            sqlCommand.Parameters.Add(subjectParameter);
            sqlStatement += AddWhereLike("Subject", "@subjectParam", flag);
            flag = true;
        }

        sqlStatement += " order by Received_Date";

        sqlCommand.CommandText = sqlStatement;

        // do your database reading here
    }

    private static string AddWhereLike(string columnName, string paramId, bool isFirstWhereCondition)
    {
        var whereCondition = isFirstWhereCondition ? " where " : " and " + columnName + "LIKE N'%" + paramId + "%' ";
        return whereCondition;
    }
于 2013-10-02T09:41:26.363 回答