OLEDB 查询 SQL Server 失败
我有两个 SQL 查询:
A.
SELECT (upper(rtrim(ltrim(lastname))) + upper(rtrim(ltrim(firstname))) +
upper(rtrim(ltrim(middlename))) + rtrim(ltrim(v)) ) AS userCompareStr
FROM atable ;
和
B。
SELECT (upper(rtrim(ltrim(lastname))) + upper(rtrim(ltrim(firstname))) +
upper(rtrim(ltrim(middlename))) + rtrim(ltrim(v)) ) AS userCompareStr
FROM atable WHERE userCompareStr='GAPYLE1111' ;
我有以下代码:
Dim sql As String
Dim conn As OleDbConnection
Dim cmd As OleDbDataAdapter
Dim ds As DataSet
Dim tbl As DataTable
conn = " something here "
cmd = New OleDbDataAdapter(sql, conn)
ds = New DataSet
cmd.Fill(ds)
tbl = New DataTable
tbl = ds.Tables(0)
据我所知,当 sql 设置为字符串 A 时它似乎可以工作,但当它设置为字符串 B 时则不行。
这让我怀疑有该条款有问题 WHERE userCompareStr='GAPYLE1111'
我可以不以这种方式使用别名 userCompareStr 吗?我找不到这种用法的任何示例,但是当别名用于表名时,我确实找到了类似的用法——而且我没有看到任何反对这种用法的东西。
I have two SQL queries:
A.
SELECT (upper(rtrim(ltrim(lastname))) + upper(rtrim(ltrim(firstname))) +
upper(rtrim(ltrim(middlename))) + rtrim(ltrim(v)) ) AS userCompareStr
FROM atable ;
and
B.
SELECT (upper(rtrim(ltrim(lastname))) + upper(rtrim(ltrim(firstname))) +
upper(rtrim(ltrim(middlename))) + rtrim(ltrim(v)) ) AS userCompareStr
FROM atable WHERE userCompareStr='GAPYLE1111' ;
I have the following code:
Dim sql As String
Dim conn As OleDbConnection
Dim cmd As OleDbDataAdapter
Dim ds As DataSet
Dim tbl As DataTable
conn = " something here "
cmd = New OleDbDataAdapter(sql, conn)
ds = New DataSet
cmd.Fill(ds)
tbl = New DataTable
tbl = ds.Tables(0)
Near as I can tell it seems to work when sql is set to string A, but not when it's set to string B.
This leads me to suspect that there is something wrong with the clause
WHERE userCompareStr='GAPYLE1111'
Can I not use the alias userCompareStr in this way? I can't find any examples of this kind of use, but I do find analogous use when alias is used for table name -- and I don't see anything against that kind of us.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
你有三个选择。
1)重复您在where中的选择中所做的事情
2)使用公共表表达式
3)内联查询请参阅Maziar Taheri的答案
顺便说一句,我希望“GAPYLE1111”不是来自用户输入,否则您将自己暴露在SQL注入攻击。使用参数化查询代替
You have three options.
1) repeat what you did in the select in the where
2) Use a common table expression
3) Inline query see Maziar Taheri's answer
As an aside I hope 'GAPYLE1111' doesn't come from user input, otherwise you're exposing yourself to SQL Injection attacks. Use parameterized queries instead
不可以,您不能在 WHERE 子句中使用别名列。
请参阅 在 where 中使用别名列ms-sql 2000 中的子句
(本文是关于 SQL 2000 的,但今天仍然适用)
No, you cannot use an aliased column in the WHERE clause.
See Using an Alias column in the where clause in ms-sql 2000
(the article is about SQL 2000, but it still applies today)
您不能在 where 子句内使用在 select 子句中设置的别名。
试试这个:
you cannot use an alias you have set in the select clause, inside the where clause.
try this:
我暂时离开这个问题,去做其他事情,然后又回到这个问题上。
我通过从使用 oledb 切换到“其他东西”解决了主要问题。
我不确定新的(对我来说)方法叫什么 - 除了“本机 sqlserver?”
要点:
不能在 WHERE 子句中使用字段名称别名。 (根据 maziar 和 matt)
Conrad 的修复 #1 适用于 OLEDB,但我不喜欢这种方法,因为它很冗长(并且真正的命令比我在这里提供的按比例缩小的示例要复杂得多)并且那里是很多不同的调用。容易出错且难以阅读(但在紧急情况下可以工作)。
为了获得WITH或嵌套选择工作,我必须从OLEDB切换到“本机sqlserver”(或任何名称)。 WITH(如康拉德建议的那样)是我的首选解决方案 - 更容易阅读。当我从 OLEDB 切换到本机时,嵌套选择(由 Maziar 建议)也可以工作。
我需要切换到“参数化查询”以避免 Conrad 指出的 SQL 注入攻击。
无论如何,当我切换到该方法时,上述建议有效。
我没有使用,而是
使用:
我现在不引用 oledb(例如 oledbadapter),而是引用 sqlDataAdapter。我忽略了 upper、ltrim 和 trim 函数(因为事实证明它们不是问题)并专注于 oledb 一直困扰的WITH。这就是我要做的工作:
另外,在 web.config 中,我添加了:
我还没有添加 SQL 注入修复内容,但我正在研究它,并且现在我确信这是我需要做的事情。我在这里找到了一些相关信息:
和这里:
但我需要一些时间来尝试它。感谢您的帮助和指点。
I stepped away from the problem for a while, worked on something else, and came back to it.
I have solved the primary problem by switching from using oledb to "something else."
I'm not sure what the new (to me) method is called - except maybe "native sqlserver?"
Important points:
Cannot use field name alias in the WHERE clause. (as per maziar and matt)
Conrad's fix #1 worked on OLEDB, but I don't like that method because it's verbose (and the real command is a lot more complicated than the scaled down example I provide here) and there is a LOT of different invocations. Error-prone and hard to read (but works in a pinch).
To get either the WITH or the nested select work I had to switch from OLEDB to "native sqlserver" (or whatever it's called). The WITH (as suggested by Conrad) is my preferred solution - much easier to read. The nested select (suggested by Maziar) also works when I switch from OLEDB to native.
I need to switch to "parameterized queries" to avoid sql injection attacks as noted by Conrad.
Anyway, suggestions above work when I switched to that method.
Instead of using
I used:
I now make no reference to oledb (such as oledbadapter), but instead make references to sqlDataAdapter. I ignore the upper, ltrim, and trim functions (because it turns out they weren't the issue) and focus on the WITH which is what oledb had been choking on. Here's what I got to work:
Also, in web.config, I added:
I have not added the SQL Injection fix stuff yet, but I am looking into it and I'm sure now that this is something I need to do. I found some information on that here:
and here:
but I need some time to experiment with it. Thanks for the help and the pointers.