string SqlStr="select * from TableName where 1=1 and "; if(TextBox1.Text.Trim()!="") { SqlStr+="UserName='"+TextBox1.Text; } if(TextBox2.Text.Trim()!="") { //以此类推 }
string SqlStr="select * from TableName where 1=1 and "; if(TextBox1.Text.Trim()!="") { SqlStr+="UserName='"+TextBox1.Text+"' or "; } if(TextBox2.Text.Trim()!="") { //以此类推 }
用or就不用判断了这个判断是要用and链接的string SqlStr="select * from TableName where 1=1"; if(TextBox1.Text.Trim()!="") { SqlStr+=" UserName='"+TextBox1.Text+"'"; } if(TextBox2.Text.Trim()!="") { SqlStr+=" and StudentNum='"+TextBox2.Text+"'"; }
string SqlStr="select * from TableName where 1=1"; if(TextBox1.Text.Trim()!="") { SqlStr+=" and UserName='"+TextBox1.Text+"'";//上面这里少了个and } if(TextBox2.Text.Trim()!="") { SqlStr+=" and StudentNum='"+TextBox2.Text+"'"; }
string Sql="select * from tableName where 1=1" if(TextBox1.Text.Trim()!="") { Sql+=" UserName='"+TextBox1.Text+"'"; } if(TextBox2.Text.Trim()!="") { Sql+=" and StudentNum='"+TextBox2.Text+"'"; } if(TextBox3.Txt.Trim()!="") { Sql+=" and StudentNum='"+TextBox3Text+"'"; }
LS:动态构造SQL语句会产生安全隐患哈。容易被SQL注入攻击。
System.Text.StringBuilder SqlCmd = new System.Text.StringBuilder("select * from table where 1=1 "); bool haveOtheItem = false; if (ckBoxRadio.Checked) { SqlCmd.Append(" and Radio.名称='" + this.ddlRadio.SelectedItem.Text + "'"); haveOtheItem = true; } if (!haveOtheItem) { this.dgRecord.DataSource = DataAccess.SqlHelper.ExecuteDataset(RadioParameters.SqlConnString(), CommandType.Text, "select top 5 * from table").Tables[0]; } else { this.dgRecord.DataSource = DataAccess.SqlHelper.ExecuteDataset(RadioParameters.SqlConnString(), CommandType.Text, SqlCmd.ToString()).Tables[0]; } this.dgRecord.DataBind();
select * from table where (studentnum=@studentnum or @studentnum is null) and (studentname=@studentname or @studentname is null) and (class=@class or @class is null)
Sql="select * from table where 1=1 "; string condition=""; if (ckBoxRadio.Checked) { condition+=" and Radio.名称='" + this.ddlRadio.SelectedItem.Text+"'"
} if (chk.Checked) { condition+=" and Radio.名称='" + this.ddlRadio.SelectedItem.Text+"'" }sql+=condition; 这样组合查询..
if(TextBox1.Text.Trim()!="")
{
SqlStr+="UserName='"+TextBox1.Text;
}
if(TextBox2.Text.Trim()!="")
{
//以此类推
}
if(TextBox1.Text.Trim()!="")
{
SqlStr+="UserName='"+TextBox1.Text+"' or ";
}
if(TextBox2.Text.Trim()!="")
{
//以此类推
}
不是or那么简单
================
先设置3个textbox的text为“”空,string selstring = "select * from table where";
最后查询时
if(textbox1.text != "")
{
selstring += "studentnum='" + selstring +"'"
}
if()
{
selstring += "studentname='" + selstring +"'"
}
if()
{
selstring += "class='" + selstring +"'"
}
if(TextBox1.Text.Trim()!="")
{
SqlStr+=" UserName='"+TextBox1.Text+"'";
}
if(TextBox2.Text.Trim()!="")
{
SqlStr+=" and StudentNum='"+TextBox2.Text+"'";
}
string SqlStr="select * from TableName where 1=1";
if(TextBox1.Text.Trim()!="")
{
SqlStr+=" and UserName='"+TextBox1.Text+"'";//上面这里少了个and
}
if(TextBox2.Text.Trim()!="")
{
SqlStr+=" and StudentNum='"+TextBox2.Text+"'";
}
if(TextBox1.Text.Trim()!="")
{
Sql+=" UserName='"+TextBox1.Text+"'";
}
if(TextBox2.Text.Trim()!="")
{
Sql+=" and StudentNum='"+TextBox2.Text+"'";
}
if(TextBox3.Txt.Trim()!="")
{
Sql+=" and StudentNum='"+TextBox3Text+"'";
}
{
SqlCmd.Append(" and Radio.名称='" + this.ddlRadio.SelectedItem.Text + "'");
haveOtheItem = true;
} if (!haveOtheItem)
{
this.dgRecord.DataSource = DataAccess.SqlHelper.ExecuteDataset(RadioParameters.SqlConnString(), CommandType.Text, "select top 5 * from table").Tables[0];
}
else
{
this.dgRecord.DataSource = DataAccess.SqlHelper.ExecuteDataset(RadioParameters.SqlConnString(), CommandType.Text, SqlCmd.ToString()).Tables[0];
} this.dgRecord.DataBind();
string condition="";
if (ckBoxRadio.Checked)
{
condition+=" and Radio.名称='" + this.ddlRadio.SelectedItem.Text+"'"
}
if (chk.Checked)
{
condition+=" and Radio.名称='" + this.ddlRadio.SelectedItem.Text+"'"
}sql+=condition;
这样组合查询..