这个 SELECT 查询出了什么问题？

发布于 2024-10-09 10:12:11 字数 183 浏览 3 评论 0原文

Dim cmdSelect As New SqlCommand("SELECT DISTINCT [seat_remain] FROM [a1_ticket] WHERE serv_code =" & lab5.Text & "ORDER BY [Ticket_no] DESC", SQLData)

原文

Dim cmdSelect As New SqlCommand("SELECT DISTINCT [seat_remain] FROM [a1_ticket] WHERE serv_code =" & lab5.Text & "ORDER BY [Ticket_no] DESC", SQLData)

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

梦幻的心爱 2024-10-16 10:12:11

您使用字符串连接来构建 SQL 查询，而不是参数化查询或存储过程。这就是问题所在。以下是如何改进它：

Dim cmdSelect As New System.Data.SqlClient.SqlCommand("SELECT DISTINCT [seat_remain] FROM [a1_ticket] WHERE serv_code = @serv_code ORDER BY [Ticket_no] DESC", SQLData)
cmdSelect.Parameters.AddWithValue("@serv_code", lab5.Text)

现在您的查询将可以工作，不仅如此，而且它可以安全地防止 SQL 注入。

You are using string concatenation for constructing your SQL query instead of parametrized queries or stored procedures. That's what is wrong with it. Here's how to improve it:

Dim cmdSelect As New System.Data.SqlClient.SqlCommand("SELECT DISTINCT [seat_remain] FROM [a1_ticket] WHERE serv_code = @serv_code ORDER BY [Ticket_no] DESC", SQLData)
cmdSelect.Parameters.AddWithValue("@serv_code", lab5.Text)

Now your query will work and not only this but it is safe against SQL injection.

回复收藏 0 原文

人疚 2024-10-16 10:12:11

缺少报价：

Dim cmdSelect As New System.Data.SqlClient.SqlCommand("SELECT DISTINCT [seat_remain] FROM [a1_ticket] WHERE serv_code ='" & lab5.Text & "' ORDER BY [Ticket_no] DESC", SQLData)

Missing quote :

Dim cmdSelect As New System.Data.SqlClient.SqlCommand("SELECT DISTINCT [seat_remain] FROM [a1_ticket] WHERE serv_code ='" & lab5.Text & "' ORDER BY [Ticket_no] DESC", SQLData)

回复收藏 0 原文

~没有更多了~