C# - Web Site - SQL Select Statement

后端 未结 5 1982
深忆病人
深忆病人 2021-01-24 16:29

I want to use a select statement to find if there is a record that already exists. I\'ve put the code below but it throws an error at the dReader = comm.ExecuteReader(); and i\'

相关标签:
5条回答
  • 2021-01-24 16:32

    Change your == to =. That is invalid SQL as it is.

    Also if txtID.Text is non-numeric then it needs to be in single quotes. You should not be constructing your SQL like this, instead use a parameter:

    comm.CommandText = "SELECT * FROM Customers WHERE CustomerID = @CustomerID";
    comm.Parameters.AddWithValue("CustomerID", txtID.Text);    
    

    More Info

    C# using statement

    SQL reference

    SQL injection (why you should parameterize your queries)

    0 讨论(0)
  • 2021-01-24 16:32

    You are using invalid SQL. You name to change "==" to "=".

    You should also consider wrapping your IDisposable objects in using statements so that unmanaged objects are properly disposed of and connections are properly closed.

    Finally, think about using parameters in your SQL, instead of concatenating strings, to avoid SQL injection attacks:

    string connString = @"Data Source=KIMMY-MSI\SQLEXPRESS;Initial Catalog=Northwind;Integrated Security=True";
    string sql = "SELECT * FROM Customers WHERE CustomerID = @CustomerID";
    using (SqlConnection conn = new SqlConnection(connString))
    using (SqlCommand comm = new SqlCommand(sql, conn))
    {
        comm.Connection.Open();
        comm.Parameters.AddWithValue("@CustomerID", txtID.Text);
        using (SqlDataReader dReader = comm.ExecuteReader())
        {
            if (dReader.HasRows == true)
            {
                Response.Write("Exists");
            }   
        }
    }
    
    0 讨论(0)
  • 2021-01-24 16:55

    Change this line:

    comm.CommandText = "SELECT * FROM Customers WHERE CustomerID == " + txtID.Text;
    

    To this line:

    comm.CommandText = "SELECT * FROM Customers WHERE CustomerID = @id";
    comm.Parameters.AddWithValue("id", int.Parse(txtID.Text));
    

    Assuming that your customer id is int on the database.

    0 讨论(0)
  • 2021-01-24 16:55

    The equals operator in SQL is just a single =.

    Also, you really shouldn't be concatenating SQL queries like that, you are just opening yourself up to SQL Injection attack. So change it to be like this:

    comm.CommandText = "SELECT * FROM Customers WHERE CustomerID = @CustomerId";
    comm.Parameters.AddWithValue("@CustomerId", txtID.Text);
    

    See Stop SQL Injection Attacks Before They Stop You on MSDN.

    0 讨论(0)
  • 2021-01-24 16:58

    It looks like your command has an issue:

    SELECT * FROM Customers WHERE CustomerID == 1
    

    In SQL you don't need to use the == operator to ensure something is equal to another.

    Try:

    SELECT * FROM Customers WHERE CustomerID = 1
    

    In addition, you might want to read up about SQL Injection, the way you are binding the value is directly from a textbox value. This has a huge security hole which could lead to arbitrary sql command execution.

    0 讨论(0)
提交回复
热议问题