使用Vb.net的SQL串联
问题描述:
如何连接2条sql语句?
全球宣言:
How to concat 2 sql statements?
Declaration in global:
Dim sqlSearch As String
第一个函数中的声明:
Declaration in first function:
sqlSearch = " AND MONTH_T = ''" + MonthSearch + "''"
在第二个函数中声明:
Declaration in second function:
Dim sql1 As String = "SELECT DISTINCT MONTH_T FROM Q_VIEWREG WHERE CATEGORY_T = '" + Me.ddlSearchType.SelectedItem.Text + "' " & sqlSearch
调试后,这是我为sql1获得的结果:
After debugging, this is the result that I get for sql1:
SELECT DISTINCT MONTH_T FROM Q_VIEWREG WHERE CATEGORY_T = ''INTERNAL''
它没有连接第二条语句.为什么会发生?
It doesnt concat the second statement. Why does it happen?
答
我不知道,因为我不做VB,但这不是一件好事. .您切勿以这种方式构建SQL,它会使您的代码易于遭受各种攻击.创建参数化查询,或使用存储的过程.如果有人为我工作时像这样构建SQL,那将是立即解雇.
I don''t know, because I don''t do VB, but it''s a good thing it didn''t. You NEVER build SQL this way, it leaves your code open to all sorts of attacks. Create paramaterised queries, or use stored procs. If anyone working for me built SQL like this, it would be instant dismissal.
我将阅读本文
使用SqlParameter类 [
I would have a read of this article
Using SqlParameter Class[^].
As I would also support Christians statement of using parameterised queries as it removes the possibility of sql injection.
不要在VB中对字符串使用+符号,而必须使用&... .
Do not use + sign on strings in VB you have to use &......