1

我正在尝试根据数据库中的选择来获取顶级安全数据3行。现在我可以通过设备和植物选择从数据库中获得前 3 个安全值并插入到文本框中。equipmentplant

当我写"' or Safety '" + textbox.text +它时,它正在获得其他工厂和设备选择

sqlcon1.Open();

SqlDataAdapter Data = new SqlDataAdapter (@"select * from ****** Where " 
    + "[Equipment Type]='" + equipmenttype_combobox.Text.Trim() 
    + "' and Plant='"   + plant_combobox.Text.Trim() 
    + "' and Safety= '" + firstsafety_textbox.Text.Trim() 
    + "' or Safety='"   + secondsafety_textbox.Text.Trim() 
    + "' or Safety='"   + thirdsafety_textbox.Text.Trim() + "'", sqlcon);

DataTable dt1 = new DataTable();
SqlDataAdapter db1 = new SqlDataAdapter();
Data.Fill(dt1);

datagridview1.DataSource = dt1;

sqlcon1.Close();
4

1 回答 1

5

在逐字字符串字符串插值的帮助下保持您的 sql可读,许多错误将很明显。在这里,您应该用括号括起来或使用construction 。Safety = ... or Safety = ...(Safety = ... or Safety = ... )inSafety in (...)

快速但肮脏的修正是

...
string sql = $@"select * 
                  from Makerinfo 
                 where [Equipment Type] = '{equipmenttype_combobox.Text.Trim()}' 
                   and [Plant]          = '{plant_combobox.Text.Trim()}'
                   and [Safety]       in ('{firstsafety_textbox.Text.Trim()}', 
                                          '{secondsafety_textbox.Text.Trim()}', 
                                          '{thirdsafety_textbox.Text.Trim()}')";

SqlDataAdapter Data = new SqlDataAdapter(sql, sqlcon1);

...

然而,这个实现至少有 3 缺陷:

  1. 容易发生SQL 注入
  2. 它会崩溃equipmenttype_combobox.Text = "Browns' equipment"(注意号)
  3. 对于不同的植物,您有不同的查询应该被解析优化等。

更好的方法是参数化查询

...

string sql = $@"select * 
                  from Makerinfo 
                 where [Equipment Type] = @prm_Equipment 
                   and [Plant]          = @prm_Plant
                   and [Safety]       in (@prm_Safety_1, @prm_Safety_2, @prm_Safety_3)";

using (SqlCommand q = new SqlCommand(sql, sqlcon1)) {
  // I don't know the underlying RDMBS types, that's why I've put AddWithValue
  //TODO: change AddWithValue to Add and provide the right rdbms type 
  // Something (and most probably) like
  //  q.Parameters.Add("@prm_Equipment", SqlDbType.VarChar).Value = 
  //    plant_combobox.Text.Trim();
  q.Parameters.AddWithValue("@prm_Equipment", equipmenttype_combobox.Text.Trim());
  q.Parameters.AddWithValue("@prm_Plant",     plant_combobox.Text.Trim());
  q.Parameters.AddWithValue("@prm_Safety_1",  firstsafety_textbox.Text.Trim());
  q.Parameters.AddWithValue("@prm_Safety_2",  secondsafety_textbox.Text.Trim());
  q.Parameters.AddWithValue("@prm_Safety_3",  thirdsafety_textbox.Text.Trim());  

  using (var reader = q.ExecuteReader()) {
    DataTable dt1 = new DataTable();
    dt1.Load(reader);
    datagridview1.DataSource = dt1;
  }
}

...
于 2020-01-16T08:57:04.097 回答