string str姓名;
string str生日范围;
string str顾客ID;
string str地址;
string str购货金额; //.... 赋值 str姓名 = (str姓名 == "") ?"姓名" : "'"+ str姓名 +"'";
str生日范围 = (str生日范围 == "") ?"生日范围" : "'"+ str生日范围 +"'";
str顾客ID = (str顾客ID == "") ?"顾客ID" : "'"+ str顾客ID +"'";
str地址 = (str地址 == "") ?"地址" : "'"+ str地址 +"'";
str购货金额 = (str购货金额 == "") ?"购货金额" : "'"+ str购货金额 +"'"; string strSQL = "select * from Table where 姓名 = "+ str姓名 +" and 生日范围 = "+ str生日范围 +" and 顾客ID = "+ str顾客ID +" and 地址 = "+ str地址 +" and 购货金额 = "+ str购货金额;以上虽然简单,但是会出现SQL攻击
string str生日范围;
string str顾客ID;
string str地址;
string str购货金额; //.... 赋值 str姓名 = (str姓名 == "") ?"姓名" : "'"+ str姓名 +"'";
str生日范围 = (str生日范围 == "") ?"生日范围" : "'"+ str生日范围 +"'";
str顾客ID = (str顾客ID == "") ?"顾客ID" : "'"+ str顾客ID +"'";
str地址 = (str地址 == "") ?"地址" : "'"+ str地址 +"'";
str购货金额 = (str购货金额 == "") ?"购货金额" : "'"+ str购货金额 +"'"; string strSQL = "select * from Table where 姓名 = "+ str姓名 +" and 生日范围 = "+ str生日范围 +" and 顾客ID = "+ str顾客ID +" and 地址 = "+ str地址 +" and 购货金额 = "+ str购货金额;以上虽然简单,但是会出现SQL攻击
string select2="";
string select3="";
string select4="";
string select5="";
string wherestring="where ";
long fenlei=0;
if(name.Text.Trim()!=null)
{
wherestring+="姓名="+name.Text.Trim() + " and ";
}
if(gustid.Text.Trim()!=null)
{
wherestring+="顾客ID="+gustid.Text.Trim() + " and ";
}
if(jine.Text.Trim()!=null)
{
wherestring+="购货金额 >"+jine.Text.Trim() + " and ";
}
if(l_bir.Text!=null&&h_bir.Text!=null)
{
wherestring+="生日>="+l_bir.Text.Trim()+"<="+h_bir.Text.Trim() + " and ";
fenlei+=1000;
}
if(instr.Text.Trim()!=null)
{
wherestring+="地址 like %"+instr.Text.Trim()+"%" + " and ";
}wherestring = wherestring.Substring( 0 ,wherestring.Length - 5);
最后一句去除最后的" and "连接符