C# asp.net:错误 - 没有为一个或多个必需参数给出值
这是数据库层函数的代码:
public static dsPersonnel GetPersonnel(string Database, string strSearch)
{
dsPersonnel DS;
OleDbConnection sqlConn;
OleDbDataAdapter sqlDA;
//create the connection string
sqlConn = new OleDbConnection("PROVIDER=Microsoft.Jet.OLEDB.4.0;" +
"Data Source=" + Database);
string query;
if (strSearch == "" || strSearch.Trim().Length == 0)
{
query = "SELECT * from tblPersonnel";
}
else
{
query = "SELECT * FROM tblPersonnel WHERE LastName = " + strSearch + "";
}
//create the adapter with query
sqlDA = new OleDbDataAdapter(query, sqlConn);
//create the dataset
DS = new dsPersonnel();
//fill the data set
sqlDA.Fill(DS.tblPersonnel);
//return the dataset
return DS;
}
}
如果回发提交空白字符串,我让它返回所有记录。但是当将真实字符串传递给函数时,我收到错误“没有为一个或多个必需参数给出值”。对于“In debug”行
sqlDA.Fill(DS.tblPersonnel);
,我验证了这两种情况下的字符串都正确构建,但后者出现错误。 我知道我应该使用参数化查询,但这是我在课堂上学习过程中的步骤。一次解决一个问题:)。关于这里的问题有什么建议吗?
Here is the code for the database layer function:
public static dsPersonnel GetPersonnel(string Database, string strSearch)
{
dsPersonnel DS;
OleDbConnection sqlConn;
OleDbDataAdapter sqlDA;
//create the connection string
sqlConn = new OleDbConnection("PROVIDER=Microsoft.Jet.OLEDB.4.0;" +
"Data Source=" + Database);
string query;
if (strSearch == "" || strSearch.Trim().Length == 0)
{
query = "SELECT * from tblPersonnel";
}
else
{
query = "SELECT * FROM tblPersonnel WHERE LastName = " + strSearch + "";
}
//create the adapter with query
sqlDA = new OleDbDataAdapter(query, sqlConn);
//create the dataset
DS = new dsPersonnel();
//fill the data set
sqlDA.Fill(DS.tblPersonnel);
//return the dataset
return DS;
}
}
if the postback submits a blank string, i have it return all records. but when a real string is passed to the function, i get the error "no value given for one or more required parameters". for the line
sqlDA.Fill(DS.tblPersonnel);
In debug, I verified that the string is building correctly for both cases, but i get the error with the latter. I understand that I should be using parameterized queries, but this is the step in the learning process in class that I am on. One problem at a time :). Any suggestions on what the issue here is?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
在搜索条件周围添加引号
Add quotes around the search criteria
在 SQL 中,您必须将字符串括在单引号中。
You have to enclose strings in single quotes in SQL.
尝试
或者更好
Try
or better
看起来您没有引用传入查询的参数。
而不是
尝试
注意额外的单引号,以及正确转义过滤器中包含的单引号(例如撇号)的 Replace() 语句
必须重申您的示例代码确实包含多个问题和安全漏洞。
Doesn't look like you're quoting the parameter you're passing in to your query.
Instead of
try
Notice the extra single quotes, and also the Replace() statement which correctly escapes single quotes contained in your filter (e.g. apostrophes)
Must reiterate that your sample code does contain multiple problems and security vulnerabilities.