我想使用C#从SQL Server中的不同表加载特定数据但是我得到了一个错误Incorrect syntax near the keyword 'as'. Incorrect syntax near 'EP'. Incorrect syntax near the keyword 'AND'.代码运行良好,因为我已经放置了一个messageBox来显示查询,一个messageBox popsup并显示完整查询但是之后我收到了一个错误我已经在上面提到过这是代码
private void FillGridView()
{
CS = ConfigurationManager.ConnectionStrings["HRMSConnectionString"].ConnectionString;
using (SqlConnection con = new SqlConnection(CS))
{ SqlCommand cmd = new SqlCommand(query, con);
con.Open();
SqlDataAdapter ad = new SqlDataAdapter(cmd);
ad.Fill(dt);
gvShowAllData.DataSource = dt;
}
}
这是查询
string query = @"Select 'ACTIVE POSTING' as POSTING,e.emp_id,e.emp_name,e.emp_fathername,e.emp_nic,e.emp_contact" +
",D.desig_id,D.desig_name" +
"from EMP_Master as e,EMP_Posting_Log as p,EMP_Designation AS D" +
"where e.emp_id=p.emp_id" +
"AND P.desg_id=D.desig_id" +
"and p.status='ACTIVE'" +
"AND E.emp_name LIKE '%" + tbSearchName.Text + "%'" +
"UNION" +
"Select 'INACTIVE POSTING' as POSTING,e.emp_id,e.emp_name,e.emp_fathername,e.emp_nic,e.emp_contact" +
",NULL,NULL" +
"from EMP_Master as e" +
"WHERE E.emp_id IN (SELECT DISTINCT EP.emp_id FROM EMP_Posting_Log AS EP" +
"WHERE EP.status='INACTIVE')" +
"AND E.emp_name LIKE '%" + tbSearchName.Text + "%'" +
"UNION" +
"Select 'NOT POSTING' as POSTING,e.emp_id,e.emp_name,e.emp_fathername,e.emp_nic,e.emp_contact" +
",NULL,NULL" +
"from EMP_Master as e" +
"WHERE E.emp_id NOT IN (SELECT DISTINCT EP1.emp_id FROM EMP_Posting_Log AS EP1)" +
"AND E.emp_name LIKE '%" + tbSearchName.Text + "%'";
你的字符串部分之间需要空格.你期望串联创建新的行,但现实是它不是如何工作.如果要在字符串之间使用新行或空格,则需要在字符串中添加该行.
更重要的问题是您的查询容易受到SQL注入攻击.您应始终使用参数进行用户输入.
string query = @"Select 'ACTIVE POSTING' as POSTING,e.emp_id,e.emp_name,e.emp_fathername,e.emp_nic,e.emp_contact,D.desig_id,D.desig_name
from EMP_Master as e,EMP_Posting_Log as p,EMP_Designation AS D
where e.emp_id=p.emp_id
AND P.desg_id=D.desig_id
and p.status='ACTIVE'
AND E.emp_name LIKE @tbSearchName
UNION
Select 'INACTIVE POSTING' as POSTING,e.emp_id,e.emp_name,e.emp_fathername,e.emp_nic,e.emp_contact,NULL,NULL
from EMP_Master as e
WHERE E.emp_id IN (SELECT DISTINCT EP.emp_id FROM EMP_Posting_Log AS EP
WHERE EP.status='INACTIVE')
AND E.emp_name LIKE @tbSearchName
UNION
Select 'NOT POSTING' as POSTING,e.emp_id,e.emp_name,e.emp_fathername,e.emp_nic,e.emp_contact,NULL,NULL
from EMP_Master as e
WHERE E.emp_id NOT IN (SELECT DISTINCT EP1.emp_id FROM EMP_Posting_Log AS EP1)
AND E.emp_name LIKE @tbSearchName";
至于添加参数:
cmd.Parameters.Add(new SqlParameter("@tbSearchName", SqlDbType.VarChar) {Value = "%" + tbSearchName.Text + "%"});
您的问题是由于字符串的串联造成的。+当您以以下方式开始字符串时,您可以在多行中写入字符串,而无需使用@
string query = @"
Select 'ACTIVE POSTING' as POSTING, e.emp_id, e.emp_name,
e.emp_fathername, e.emp_nic, e.emp_contact, D.desig_id, D.desig_name
//and so on continue with your query
";
还要考虑SqlCommand.Parameters防止您的代码受到 sql 注入。
| 归档时间: |
|
| 查看次数: |
1277 次 |
| 最近记录: |