C＃的SqlCommand错误

Question

foreach (string str in TestWords) 
{ 
    //spam 
    SqlCommand cmd6 = new SqlCommand("select count from keys,files,folders where keys.fileid=files.id and keys.kname='" + str + "' and files.spam=1 and folders.id<>" + FolIter + " and files.folderid<>" + FolIter + " and files.id='" + s[0].ToString + "'", cn); 
    int i6 = Convert.ToInt16(cmd6.ExecuteScalar()); 
    double temp = Convert.ToDouble((i6 + 1)/(i7 + i8)); 
    //non spam 

    **error** 

    SqlCommand cmd9 = new SqlCommand("select count from keys,files,folders where keys.fileid=files.id and keys.kname='" 
    + str 
    + "' and files.spam=0 and folders.id<>" 
    + FolIter 
    + " and files.folderid<>" 
    + FolIter 
    + " and files.id='" 
    + s[0].ToString 
    + "'", cn); 
    int i9 = Convert.ToInt16(cmd9.ExecuteScalar()); 
    temp2 = Convert.ToDouble((i9 + 1)/(i7 + i8)); 
    Sdoc = Convert.ToDouble(Sdoc * temp); 
    NsDoc = Convert.ToDouble(NsDoc * temp2); 
} 

错误IAM得到的是：操作“+”不能应用于类型“串”和“方法组”

Answer 1

您正使用方法ToString()财产

变化s[0].ToString - >s[0].ToString()

记住C＃不允许它。

Answer 2

的操作数你要调用的方法：

s[0].ToString() 

Answer 3

由于Nix，Femaref和Azhar提到，.ToString（）是触发错误消息的错字。

我可以建议使用参数而不是字符串连接吗？通过这种方式：

SqlCommand cmd9 = new SqlCommand("select count from keys,files,folders where keys.fileid=files.id and keys.kname=@name and and files.spam=0 and folders.id<>@FolIter and files.folderid<>@FolIter and files.id=@s0", cn); 

cmd9.Parameters.Add(new SqlParameter("@name", str)); 
cmd9.Parameters.Add(new SqlParameter("@FolIter", FolIter)); 
cmd9.Parameters.Add(new SqlParameter("s0", s0)); 

通过这种方式，ADO.NET将处理您的变量是，你不会有将它们转换为字符串使用级联，你不会被暴露在SQL injection风险。