sql查询问题

protected void Button1_Click(object sender, EventArgs e) 
{ 
    SqlConnection myConnection = new SqlConnection("Data Source=DELL-PC\\SQLEXPRESS;Initial Catalog=eclass;Persist Security Info=True;integrated security = true"); 
    myConnection.Open(); 
    string key = txtsearchkey.Text.ToString(); 

    SqlCommand q1 = new SqlCommand("select cat_id from category where cat_name='" + (ddsearchcat.SelectedItem.ToString() + "'"), myConnection); 
    string cat = q1.ExecuteScalar().ToString(); 

    SqlCommand q2 = new SqlCommand("select subcat_id from subcategory where subcat_name= '" + (ddsearchsubcat.SelectedItem.ToString() + "'"), myConnection); 
    string subcat = q2.ExecuteScalar().ToString(); 

    SqlCommand q3 = new SqlCommand("select adid from adType where adtype= '" + (ddsearchtype.SelectedItem.ToString()) + "'", myConnection); 
    string adtype = q3.ExecuteScalar().ToString(); 

    String date = ddsearchdays.SelectedItem.ToString(); 

    if (chkAdimg.Checked) 
    { 
     if (chkAdVideo.Checked) 
     { 
      SqlCommand query = new SqlCommand("select title,ad_description from postad where ad_description like " + txtsearchkey + " and category_id=" + cat + " and subcategory_id=" + subcat + " and ad_id=" + adtype + " and video is not null and img_id is not null and adType INNER JOIN adType AS adType_1 ON adType.adid = adType_1.adid CROSS JOIN category CROSS JOIN subcategory CROSS JOIN userdetails", myConnection);   

      DataSet ds = new DataSet(); 
      SqlDataAdapter ad = new SqlDataAdapter(query); 
      ad.Fill(ds); 
      foreach (DataRow dr in ds.Tables[0].Rows) 
      { 
        Response.Write(dr[0].ToString()); 
      } 
     } 
    } 
}

这个查询是给了我一个问题，说sql查询问题

其中条件，预计在指定的上下文非布尔型的表达，接近内心...

我应该让我的查询什么变化

来源

2011-04-15 shweta

看起来你`的SqlCommand query`线可能是罪魁祸首。我的猜测是你上面的查询之一，你使用值来建立你的`SqlCommand查询`返回一个无效的值。你应该通过它来确保你获得了正确的值，并且可能应该在使用它们来构建另一个查询之前验证这些变量。 – Prescott 2011-04-15 16:13:59

**首先：**将** NOT **字符串连接到SQL查询中！你知道吗[SQL注入]（http://xkcd.com/327/）？不要这样做 - 不是永远。请改用**参数化查询**！ – 2011-04-15 20:02:23

select title,ad_description from postad where ad_description like " + txtsearchkey + " and category_id=" + cat + " and subcategory_id=" + subcat + " and ad_id=" + adtype + " and video is not null and img_id is not null and adType INNER JOIN adType AS adType_1 ON adType.adid = adType_1.adid CROSS JOIN category CROSS JOIN subcategory CROSS JOIN userdetails", myConnection);

你在哪里使用内部连接后的条件？

我想这可能是正确的

select title,ad_description 
from postad 
INNER JOIN adType AS adType_1 ON adType.adid = adType_1.adid 
CROSS JOIN category 
CROSS JOIN subcategory 
CROSS JOIN userdetails 
where ad_description like " + txtsearchkey + " 
    and category_id=" + cat + " 
    and subcategory_id=" + subcat + " 
    and ad_id=" + adtype + " 
    and video is not null 
    and img_id is not null

来源

2011-04-15 16:12:38 Nighil

adType INNER JOIN adType AS adType.adid = atType_1.adid – shweta 2011-04-15 16:16:22

我以为这是在这儿，你已经有了

...and adType INNER JOIN adType...

你的联接应在WHERE子句之前完成，更何况你确实应该使用参数的值而不是纯文本，以避免像SQL注入的东西，你可能会需要％的值你想做一个LIKE，但我离题...

来源

2011-04-15 16:13:16 w69rdy

该varch ar列应该包含引用的值。例如

where ad_description like " + txtsearchkey + " and

应该是

where ad_description like '" + txtsearchkey + "' and

此外

img_id is not null and adType INNER JOIN

应具有

img_id is not null INNER JOIN

即ADTYPE似乎是不必要的。

这不是制作动态SQL的好方法。它不仅暴露给SQL注入，而且几乎不可能维护。

来源

2011-04-15 16:15:26

你有你的WHERE条款后您的加入，它需要是WHERE条款前后FROM

select 
    title, 
    ad_description 
from postad 
INNER JOIN adType AS adType_1 ON adType.adid = adType_1.adid 
CROSS JOIN category 
CROSS JOIN subcategory 
CROSS JOIN userdetails 
where ad_description like " + txtsearchkey + " 
and category_id=" + cat + " 
and subcategory_id=" + subcat + " 
and ad_id=" + adtype + " 
and video is not null 
and img_id is not null 
and adType "

来源

2011-04-15 16:15:43

sql查询问题

回答

相关问题