// select * from test where company in('1000','2000','3000')
//以下為 SQL Parameter
string field = "'1000','2000','3000'";
string strCmd = "select * from test where company in(@company)";
Parameter para1 = new Parameter("@company",field);
執行結果不是 select * from test where company in('1000','2000','3000')
如何修改以上Sql Parameter.
解决方案 »
- Visual Studio 2008 aspx页面无法显示设计视图
- Textbox的获取焦点的问题??
- 用javascript实现获取DataList的EditItemTemplate中的Textbox值?
- 各位一般展示数据用的什么
- 求正则高手帮忙,帮我写个很简单的表达式
- 求RegularExpressionValidator控件的一个正刚表达式
- Flash显示问题
- Page_load不能声明为overrides,因为它不重写class中的sub
- imagebutton能否实现在鼠标方上去的时候轮替图片?
- 怎样才能让用户一次下载多个文件
- 如何访问wwwroot目录上级的数据库
- 请大侠帮帮我~~~关于asp.net~~~我快疯掉啦
string field1 = "1000";
string field2 = "2000";
string strCmd = "select * from test where company in(@company1,@company2)";
Parameter para1 = new Parameter("@company1",field1);
Parameter para2 = new Parameter("@company2",field2);
string field = "'1000','2000','3000'";
string strCmd = "select * from test where company in(@company)";
SqlParameter para1 = new SqlParameter("@company", SqlDbType.VarChar, 30);
para1.Value = field;
...
DECLARE @idlist varchar(100)
SET @idlist='1,2,3'--拼接并执行动态Transact-SQL语句
EXEC('SELECT * FROM tbname WHERE fdname IN('+@idlist+')')
GO--b. 要查询的字段类型是字符型
--查询的值列表已经加上了字符串边界符
DECLARE @idlist varchar(100)
SET @idlist='''a'',''b''''a'',''c'''--拼接并执行动态Transact-SQL语句
EXEC('SELECT * FROM tbname WHERE fdname IN('+@idlist+')')
GO--查询的值列表没有字符串边界符
DECLARE @idlist varchar(100)
SET @idlist='a,b''a,c'--由于是字段类型是,所以在拼接时,必须为其加上字符串边界符(')
DECLARE @s varchar(1000)
SET @s=''''
+REPLACE(REPLACE(@idlist,'''',''''''),',',''',''')
+''''--拼接并执行动态Transact-SQL语句
EXEC('SELECT * FROM tbname WHERE fdname IN('+@s+')')
GO
foreach(string str in field )
{
name=new Sqlarampter("@company",str);
}
一般可以直接拼接sql语句,当然要过滤防止注入了
string strCmd = "select * from test where company in(@company)";
para1 = new Parameter("@company",field);
或SqlParameter[] paras ={
new SqlParameter("@company1",SqlDbType.NVarChar,100),
new SqlParameter("@company2",SqlDbType.NVarChar,100),
new SqlParameter("@company3",SqlDbType.NVarChar,100)
};
paras[0].Value = "";
paras[1].Value = "";
paras[2].Value = "";