请先看下面代码:
===========================================================================
public DataTable SendBoxForSendTime(string SendTime ,string ReceiverName)
{
string sql = "select * from [Table_Sms] where [SendTime]=@SendTime and [ReceiverName]=@ReceiverName";① SqlParameter[] paras = {
new SqlParameter("@SendTime", SqlDbType.DateTime, 8)
};
② SqlParameter[] parasName = {
new SqlParameter("@ReceiverName", SqlDbType.NVarChar)
};
paras[0].Value = DateTime.Parse(SendTime);
paras[1].Value = DateTime.Parse(ReceiverName);
return base.SqlRuner.ExecuteDataTable(sql, paras);
}
===========================================================================
我的疑问是,其中的"SendTime"和"ReceiverName"直接由参数获得不就可以了么?
为什么还要用①②的代码?为什么不可以直接写成:===========================================================================
public DataTable SendBoxForSendTime(string SendTime ,string ReceiverName)
{
string sql = "select * from [Table_Sms] where [SendTime]=@SendTime and [ReceiverName]=@ReceiverName";
return base.SqlRuner.ExecuteDataTable(sql);
}
===========================================================================
===========================================================================
public DataTable SendBoxForSendTime(string SendTime ,string ReceiverName)
{
string sql = "select * from [Table_Sms] where [SendTime]=@SendTime and [ReceiverName]=@ReceiverName";① SqlParameter[] paras = {
new SqlParameter("@SendTime", SqlDbType.DateTime, 8)
};
② SqlParameter[] parasName = {
new SqlParameter("@ReceiverName", SqlDbType.NVarChar)
};
paras[0].Value = DateTime.Parse(SendTime);
paras[1].Value = DateTime.Parse(ReceiverName);
return base.SqlRuner.ExecuteDataTable(sql, paras);
}
===========================================================================
我的疑问是,其中的"SendTime"和"ReceiverName"直接由参数获得不就可以了么?
为什么还要用①②的代码?为什么不可以直接写成:===========================================================================
public DataTable SendBoxForSendTime(string SendTime ,string ReceiverName)
{
string sql = "select * from [Table_Sms] where [SendTime]=@SendTime and [ReceiverName]=@ReceiverName";
return base.SqlRuner.ExecuteDataTable(sql);
}
===========================================================================
朋友 看看这个问题。http://community.csdn.net/Expert/topic/5686/5686047.xml?temp=.8212702
-------------------------------------------
这样是可以的,可以直接从参数里拿到
你要清楚的是怎么把参数传给你的SQL语句public DataTable SendBoxForSendTime(string SendTime ,string ReceiverName)
{
string sql = string.Format("select * from [Table_Sms] where [SendTime]={0} and [ReceiverName]={1}",SendTime ,ReceiverName);
return base.SqlRuner.ExecuteDataTable(sql);
}
-------------------------------、
SqlParameter[] paras = {
new SqlParameter("@SendTime", SqlDbType.DateTime, 8)
};
② SqlParameter[] parasName = {
new SqlParameter("@ReceiverName", SqlDbType.NVarChar)
};
paras[0].Value = DateTime.Parse(SendTime);
paras[1].Value = DateTime.Parse(ReceiverName);
return base.SqlRuner.ExecuteDataTable(sql, paras);
这种写法能更好的控制参数的类型
而直接用参数来拼串的话就不能保证参数和语句的正确性!而且容易被注入。
规范的带参数的SQL命令,应该用SqlCommand来执行!高手有空帮忙看下这个困难问题帖子!!谢谢!
http://community.csdn.net/Expert/topic/5684/5684900.xml?temp=.9734461