我的原来语句是select * from xinxi where id=XX 如果参数化,应该怎样写?各位大哥,说的详细些,好吗?
string sql = "select * from xinxi where id=@id"SQLParameter para = new SQLParameter("id", SQLType.Int); para.Value = 33333; SQLConnection con = new SQLConnection (constr); con.Open(); SQLCommand com = con.CreateCommand(); com.CommandText = sql; com.Parameters.Add(para); com.ExecuteReader();
//自己去搜索相关SqlParameter的资料看看 int id = 1; string sql = "select * from xinxi where id=@id"; SqlParameter[] param = new SqlParameter[] {new SqlParameter("@id",id) };
判断字符类型,数据加密 数据参数化 int i=0; int.TryParse(Request.QueryString[""].ToString()),out i);using(SqlConnection conn = new SqlConnection("")) { string sql = "select * from xinxi where id=@id" SQLParameter para = new SQLParameter("id", SQLType.Int); para.Value = 1; con.Open(); SqlCommand cmd = new SqlCommand(sql, conn); com.Parameters.Add(para); SqlDataReader dr=com.ExecuteReader(); if(dr.Read() {} conn.close(); } http://topic.csdn.net/u/20090708/09/b78444ee-9081-4ff7-8aa5-ba6f9b1d9fdc.html
各位大哥,我是这样读取数据的 SqlConnection conn = new SqlConnection(constr); SqlCommand xwcmd = new SqlCommand(); string xwsql = string.Format(@"select * from 信息 where id= @id"); SqlParameter para = new SqlParameter("@id", SqlDbType.Int); para.Value = Request.QueryString["id"]; xwcmd.CommandText = xwsql; xwcmd.Parameters.Add(para); xwcmd.CommandType = CommandType.Text; xwcmd.Connection = conn; SqlDataAdapter xwsda = new SqlDataAdapter(xwsql, conn); DataSet xwdt = new DataSet(); xwsda.Fill(xwdt, "srcTable"); 出现的错误是:必须声明标量变量 "@id"。
SqlCommand cmd = new SqlCommand(xwsql, con); cmd.Parameters.AddWithValue("@id",Request.QueryString["id"].ToString()); SqlDataAdapter da = new SqlDataAdapter(cmd); DataSet ds = new DataSet(); con.Open(); da.Fill(ds);
或过滤单引号,指定数据类型和长度
存储过程
转义/过滤字符(不推荐)
如果参数化,应该怎样写?各位大哥,说的详细些,好吗?
//自己去搜索相关SqlParameter的资料看看
int id = 1;
string sql = "select * from xinxi where id=@id"; SqlParameter[] param = new SqlParameter[] {new SqlParameter("@id",id) };
数据参数化
int i=0;
int.TryParse(Request.QueryString[""].ToString()),out i);using(SqlConnection conn = new SqlConnection(""))
{
string sql = "select * from xinxi where id=@id"
SQLParameter para = new SQLParameter("id", SQLType.Int);
para.Value = 1;
con.Open();
SqlCommand cmd = new SqlCommand(sql, conn);
com.Parameters.Add(para);
SqlDataReader dr=com.ExecuteReader();
if(dr.Read()
{}
conn.close();
}
http://topic.csdn.net/u/20090708/09/b78444ee-9081-4ff7-8aa5-ba6f9b1d9fdc.html
SqlConnection conn = new SqlConnection(constr);
SqlCommand xwcmd = new SqlCommand();
string xwsql = string.Format(@"select * from 信息 where id= @id");
SqlParameter para = new SqlParameter("@id", SqlDbType.Int);
para.Value = Request.QueryString["id"];
xwcmd.CommandText = xwsql;
xwcmd.Parameters.Add(para);
xwcmd.CommandType = CommandType.Text;
xwcmd.Connection = conn;
SqlDataAdapter xwsda = new SqlDataAdapter(xwsql, conn);
DataSet xwdt = new DataSet();
xwsda.Fill(xwdt, "srcTable");
出现的错误是:必须声明标量变量 "@id"。
SqlCommand cmd = new SqlCommand(xwsql, con);
cmd.Parameters.AddWithValue("@id",Request.QueryString["id"].ToString());
SqlDataAdapter da = new SqlDataAdapter(cmd);
DataSet ds = new DataSet();
con.Open();
da.Fill(ds);
这一句 好像就不能控制参数的类型为int了
希望对你有用,我刚下了,你自己搜搜吧。