1. 首页
  2. 问答
  3. C#String Concationation问题为什么不在这里工作?

C#String Concationation问题为什么不在这里工作?

2012-02-14 87 views
1

我有下面的C#代码:C#String Concationation问题为什么不在这里工作?

using System; 
using System.Collections.Generic; 
using System.Linq; 
using System.Text; 

namespace StringTest 
{ 
    class Program 
    { 
     static void Main(string[] args) 
     { 

       String strSQLCode; 
      strSQLCode = " select rank() over (order by percentagecorrect desc, totalmilliseconds asc) as rank, * " 
         += " from view_dg_game_details gd (nolock) " 
         += " where gd.gametypeid = {0} " 
         += " and gd.numberofrounds = {1} " 
         += " and gd.gamevalues = '{2}' "; 
     } 
    } 
}

出于某种原因,我得到一个错误“赋值的左边必须是一个变量,属性或索引”。

我看不出错误在告诉我什么。我已经评论了有问题的路线,但是错误只是上移了一条线。

我能得到的字符串concation使用这种方法的工作:

using System; 
using System.Collections.Generic; 
using System.Linq; 
using System.Text; 

namespace StringTest 
{ 
    class Program 
    { 
     static void Main(string[] args) 
     { 

      String strSQLCode; 
      strSQLCode = " select rank() over (order by percentagecorrect desc, totalmilliseconds asc) as rank, * "; 
      strSQLCode = strSQLCode + " from view_dg_game_details gd (nolock) "; 
      strSQLCode = strSQLCode + " where gd.gametypeid = {0} "; 
      strSQLCode = strSQLCode + " and gd.numberofrounds = {1} "; 
      strSQLCode = strSQLCode + " and gd.gamevalues = '{2}' ";    
     } 
    } 
}

有人能向我解释一下这个错误是什么?

感谢

来源

2012-02-14 codingguy3000

+10

您有SQL注入漏洞。 – SLaks 2012-02-14 18:53:13

+0

字符串连接效率较低,在这里最好使用'@'字符串。 – McKay 2012-02-14 18:56:37

+3

@McKay:我想象编译器在编译时将它们结合起来。 – 2012-02-14 19:07:27

回答

12

,因为你不能串起来+=运营商无需重复,你上运行的变量:如果你想将其申报为“

strSQLCode = @"select rank() over (order by percentagecorrect desc, 
              totalmilliseconds asc) as rank, * "; 
strSQLCode += " from view_dg_game_details gd (nolock) "; 
strSQLCode += " where gd.gametypeid = {0} "; 
strSQLCode += " and gd.numberofrounds = {1} "; 
strSQLCode += " and gd.gamevalues = '{2}' ";

长“一班,只用+

strSQLCode = @"select rank() over (order by percentagecorrect desc, 
              totalmilliseconds asc) as rank, * " 
      + " from view_dg_game_details gd (nolock) " 
      + " where gd.gametypeid = {0} " 
      + " and gd.numberofrounds = {1} " 
      + " and gd.gamevalues = '{2}' ";

或者,如果你不希望任何的是,你可以只使用一个字符串字面量:

strSQLCode = 
    @"select rank() over (order by percentagecorrect desc, 
           totalmilliseconds asc) as rank, * 
     from view_dg_game_details gd (nolock) 
     where gd.gametypeid = {0} 
      and gd.numberofrounds = {1} 
      and gd.gamevalues = '{2}' ";

来源

2012-02-14 18:53:03

+0

是的,多行字符串文字更好。 – McKay 2012-02-14 18:58:58

2

为了您的第一个片段,你想要的是+,不+=

您只想分配一次变量,然后在以正常方式将所有部分连接在一起后执行该操作。那是+

来源

2012-02-14 18:53:21

2

在你的第一个代码段,你不应该使用+=简单的将做+

从MSDN:

使用+ =赋值运算符的表达式,如

x += y

相当于

x = x + y

除了x只评估一次。

这意味着您不能使用+=来链接一串字符串或两个以上的变量。

来源

2012-02-14 18:53:37

2

你写了

something += "a" += "b";

这是没有意义的。

来源

2012-02-14 18:53:39 SLaks

3

这是一个单独的语句,所以你应该使用下列内容:

 strSQLCode = " select rank() over (order by percentagecorrect desc, totalmilliseconds asc) as rank, * " 
        + " from view_dg_game_details gd (nolock) " 
        + " where gd.gametypeid = {0} " 
        + " and gd.numberofrounds = {1} " 
        + " and gd.gamevalues = '{2}' ";

来源

2012-02-14 18:53:41 Mr47

2

就使用这种方式

strSQLCode = " select rank() over (order by percentagecorrect desc, totalmilliseconds asc) as rank, * " 
      + " from view_dg_game_details gd (nolock) " 
      + " where gd.gametypeid = {0} " 
      + " and gd.numberofrounds = {1} " 
      + " and gd.gamevalues = '{2}' "; 


strSQLCode = 
      @"select rank() over (order by percentagecorrect desc, totalmilliseconds asc) as rank, * 
      from view_dg_game_details gd (nolock) 
      where gd.gametypeid = {0} 
      and gd.numberofrounds = {1} 
      and gd.gamevalues = '{2}' ";

来源

2012-02-14 18:54:59

+0

对于一个@字符串+1 – McKay 2012-02-14 18:58:35

1

你的语法稍有错。

应该是:

namespace StringTest 
{ 
    class Program 
    { 
     static void Main(string[] args) 
     { 

       String strSQLCode; 
      strSQLCode = @" select rank() over (order by percentagecorrect desc, totalmilliseconds asc) as rank, * " 
         + @" from view_dg_game_details gd (nolock) " 
         + @" where gd.gametypeid = {0} " 
         + @" and gd.numberofrounds = {1} " 
         + @" and gd.gamevalues = '{2}' "; 
     } 
    } 
}

来源

2012-02-14 18:56:18

1

你在做什么有效的是:

string variable = "string" += "another string";

这在本质上是一样的:

string variable; 
(variable = "string") += "another string";

由于括号表达式的结果是一个字符串(特别是分配的值),你现在正在实现这个功能:

string variable; 
variable = "string"; 
"string" += "another string;

而编译器在第三行有问题。

具体来说,编译器告诉你的是,为了执行分配,你必须分配一些东西。

写这样的:

strSQLCode = @" select rank() over (order by percentagecorrect desc, totalmilliseconds asc) as rank, * 
    from view_dg_game_details gd (nolock) 
    where gd.gametypeid = @gameType 
    and gd.numberofrounds = @numberOfRounds 
    and gd.gamevalues = @gameValues ";

,并使用参数化查询。

来源

2012-02-14 18:58:14 McKay

0

使用+而不是+ =。

另外,我强烈建议不要存储和连接这样的SQL查询,因为这样的方式由于SQL注入而非常不安全。

读到它在这里:SQL injection

来源

2012-02-14 18:59:09

1

像其他人一样有提到+ =应的是+。如果你构建SQL至少需要参数化,SQL注入是一个严重的问题。我可以从控制台或winapp文本框中删除表中的数据库。从第一个变量,你可以做

1 ; drop table dg_game_details --

例如:

conDatabase = 
new SqlConnection("Data Source=(local);" + 
"Database='projectGames';" + 
"Integrated Security=true"); 
SqlCommand cmdDatabase = 
new SqlCommand("SELECT rank() over (order by percentagecorrect desc, totalmilliseconds asc) as rank, * FROM view_dg_game_details gd (nolock)" + 
"WHERE gd.gametypeid= @GameId;", conDatabase); 

cmdDatabase.Parameters.Add("@GameId", SqlDbType.Int); 
cmdDatabase.Parameters["@GameId"].Value = 1;

来源

2012-02-14 22:59:55 Nickz

相关问题

 相关问题