请更正我的 SQL 语法
我知道我的语法有问题... "select * from tblpayroll where empid = userid"
UserID 是一个变量...
I know that there's something wrong with my syntax... "select * from tblpayroll where empid = userid"
UserID is a variable...
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
显然,这是你的 vb 变量。
这样使用它,它会起作用
apparently, it's your vb variable.
use it this way, and it'll work
文本“select * from tblpayroll where empid = userid”将通过原样发送到 SQL 后端,
userid部分将不被替代。因此,除非您有userid列,否则您可能会收到错误。即使您确实有userid列,结果也不会是您所期望的。您需要执行的操作取决于
userid是数字值还是字符串值。对于数字,您可以使用:这将首先将数字值转换为字符串并按原样检查。
对于字符串值,请使用:
这将简单地用引号将字符串括起来,以确保字符串比较有效。您需要意识到,如果
userid没有经过某种方式的清理,这是一个坏主意 - 它可能会导致 SQL 注入攻击。解决这个问题的艺术超出了这个特定问题的范围,但值得牢记。如果您的变量是数字但数据库字段是字符串该怎么办是另一回事。您可以使用
CStr和零填充来完成此操作,但由于这种情况不太可能发生,因此我没有在此处记录它。The text
"select * from tblpayroll where empid = userid"will be sent through exactly as is to the SQL back end, theuseridpart will not be substituted. So, unless you have auseridcolumn, you'll probably get an error. Even if you do have auseridcolumn, the results won't be what you expect.What you need to do depends on whether
useridis a numeric or string value. For numerics, you can use:This will first turn the numeric value into a string and check it as-is.
For string values, use:
This will simply surround the string with quotes to ensure a string comparison works. You need to be aware that this is a bad idea if
useridhas not been sanitised somehow - it may lead to SQL injection attacks. The art of fixing that is outside the scope of this particular question but it's worth keeping in mind.What to do if your variable is numeric but the database field is a string is another matter. You can do it with
CStrand zero-padding but, since it's an unlikely scenario, I haven't documented it here.