类似于:
SqlCommand cmd = new SqlCommand("select * from Customers where CustomerID @Sign @CustomerID",sqlConnectionName);cmd.Parameters.Add("@Sign",SqlDbType.NVarChar);
cmd.Parameters["@Sign"].Value = ">";cmd.Parameters.Add("@CustomerID",SqlDbType.NVarChar);
cmd.Parameters["@CustomerID"].Value = txtCustomerID.Text;
SqlCommand cmd = new SqlCommand("select * from Customers where CustomerID @Sign @CustomerID",sqlConnectionName);cmd.Parameters.Add("@Sign",SqlDbType.NVarChar);
cmd.Parameters["@Sign"].Value = ">";cmd.Parameters.Add("@CustomerID",SqlDbType.NVarChar);
cmd.Parameters["@CustomerID"].Value = txtCustomerID.Text;
带参数的sql语句是不能拼接的
我写了一个不带参数拼接的,不过总是觉得很恶心,也不安全:p
不太想用存储过程,不知道大家写程序select用存储过程吗?是不是很麻烦呢?
像Select (num + max(select num1 from test)) as SUM,.....这类的Select就最好写Procedure了!
CREATE PROCEDURE aa
@SqlWhere varchar(500)
AS
exec ('select * from Customers ' +@Sqlwhere )
string operator ="=";
if (...Condition....)
{
operator =">";
else.....
}
SqlCommand cmd = new SqlCommand(string.Format("select * from Customers where CustomerID {0}@CustomerID"),operator),sqlConnectionName);//这样基本上也可以做到
to: 3tzjq(永不言弃) 太牛了,可以用!聪明啊
to:ghchen() 非常感谢!:)