更正SQL查询

本文介绍了更正SQL查询的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

select SheetNo,TotalDays,COALESCE(CONVERT(CHAR(8), FDate, 1), '''') + ''-''+ COALESCE(CONVERT(CHAR(8), TDate, 1), '''') AS Peroids,VehicleNo,Driver1+''/''+Driver2 as Driver,Tfrieght as Frieght,TDQty as Diesel_Qty,TDAmt as Diesel_Amt,TEAmt as Expense,NetBal,TKM,Mile as Milage from TripSheet where convert(datetime, EDate, 103) between ''" & dtp_from.Value.Date & "'' and ''" & dtp_to.Value.Date & "'' and Driver1=''" & cb_sublist.Text & "'' union all select SheetNo,TotalDays,COALESCE(CONVERT(CHAR(8), FDate, 1), '''') + ''-''+ COALESCE(CONVERT(CHAR(8), TDate, 1), '''') AS Peroids,VehicleNo,Driver1+''/''+Driver2 as Driver,Tfrieght as Frieght,TDQty as Diesel_Qty,TDAmt as Diesel_Amt,TEAmt as Expense,NetBal,TKM,Mile as Milage from TripSheet where convert(datetime, EDate, 103) between ''" & dtp_from.Value.Date & "'' and ''" & dtp_to.Value.Date & "'' and Driver2='' " & cb_sublist.Text & " ''

这是正确的方法吗?...

Is this correct od not....

推荐答案

我们怎么知道? 我们不知道您的数据库是什么样子！ 但是-尽管很大，但是-不要串联字符串来构建SQL命令.它使您对意外或蓄意的SQL注入攻击敞开大门，这可能会破坏整个数据库.改为使用参数化查询. How would we know? We have no idea what your database looks like! But - and it''s a big but - do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.