如何在SQL查詢傳遞動態值

Question

int i = int.Parse(rid); 
SqlConnection thisconnection = new SqlConnection(@"Data Source=.\SQLEXPRESS;AttachDbFilename=D:\lagenius\JIvandhara ngo\JIvandhara ngo\ngo.mdf;Integrated Security=True;User Instance=True"); 
thisconnection.Open(); 
string st = ("select receipt_no, name, rupees, pay_by, date from receipt_info where receipt_no = 4"); 
DataSet thisdataset = new DataSet(); 
//string cmdtext = "select * from receipt_info where receipt_no =='" + i + "'"; 
SqlCommand cmd = new SqlCommand(st, thisconnection); 
SqlDataAdapter data_ad = new SqlDataAdapter(cmd); 
DataTable dt = new DataTable(); 
data_ad.Fill(dt); 

Answer 1

string st = ("select receipt_no, name, rupees, pay_by, date from receipt_info where receipt_no =" + i); 

Answer 2

string st = string.Format("select receipt_no, name, rupees, pay_by, date from receipt_info where receipt_no = {0}",i); 

Answer 3

首先，你應該使用參數

string st = "select receipt_no, name, rupees, pay_by, date from receipt_info where receipt_no = @Receipt_Number"; 

重寫你的聲明，您創建當你SqlCommand - 你應該參數@Receipt_Number增加它

cmd.Parameters.Add("@Receipt_Number", SqlDbType.Int); 
cmd.Parameters["@Receipt_Number"].Value = i; 

Answer 4

發送參數化查詢時，應該使用SqlParameter。如何使用它們的示例可參見http://www.dotnetperls.com/sqlparameter

基本上，您使用佔位符構造查詢，並使用SqlCommand的s Parameters屬性填充它們。

int searchId = 4; 
string connectionString = @"Data Source=.\SQLEXPRESS;AttachDbFilename=D:\lagenius\JIvandhara ngo\JIvandhara ngo\ngo.mdf;Integrated Security=True;User Instance=True" 
using (SqlConnection connection = new SqlConnection(connectionString)) { 
    connection.Open(); 
    using (SqlCommand command = new SqlCommand(
     "select receipt_no, name, rupees, pay_by, date " + 
     "from receipt_info where receipt_no = @Id", connection)) 
    { 
     command.Parameters.Add(new SqlParameter("Id", searchId)); 
     SqlDataReader reader = command.ExecuteReader(); 
     while (reader.Read()) 
     { 
     } 
    } 
}