本文介绍了更正SQL查询的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
select SheetNo,TotalDays,COALESCE(CONVERT(CHAR(8), FDate, 1), '''') + ''-''+ COALESCE(CONVERT(CHAR(8), TDate, 1), '''') AS Peroids,VehicleNo,Driver1+''/''+Driver2 as Driver,Tfrieght as Frieght,TDQty as Diesel_Qty,TDAmt as Diesel_Amt,TEAmt as Expense,NetBal,TKM,Mile as Milage from TripSheet where convert(datetime, EDate, 103) between ''" & dtp_from.Value.Date & "'' and ''" & dtp_to.Value.Date & "'' and Driver1=''" & cb_sublist.Text & "'' union all select SheetNo,TotalDays,COALESCE(CONVERT(CHAR(8), FDate, 1), '''') + ''-''+ COALESCE(CONVERT(CHAR(8), TDate, 1), '''') AS Peroids,VehicleNo,Driver1+''/''+Driver2 as Driver,Tfrieght as Frieght,TDQty as Diesel_Qty,TDAmt as Diesel_Amt,TEAmt as Expense,NetBal,TKM,Mile as Milage from TripSheet where convert(datetime, EDate, 103) between ''" & dtp_from.Value.Date & "'' and ''" & dtp_to.Value.Date & "'' and Driver2='' " & cb_sublist.Text & " ''
这是正确的方法吗?...
Is this correct od not....
推荐答案我们怎么知道? 我们不知道您的数据库是什么样子! 但是-尽管很大,但是-不要串联字符串来构建SQL命令.它使您对意外或蓄意的SQL注入攻击敞开大门,这可能会破坏整个数据库.改为使用参数化查询. How would we know? We have no idea what your database looks like! But - and it''s a big but - do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
更多推荐
更正SQL查询
发布评论