-4
我有我的sql查询显示使用变量“where”的字段。 我有我的变量从功能防止转义字符串c#
串 empCode其价值是通过
这里是我的代码 “\\(!”
public List<int> GetSuccessAndFailedCountForTodayForAgent(string empCode)
{
var result = new List<int>();
string query = "SELECT (SELECT COUNT(*) FROM BusinessTransactions WHERE STATUS='Failed' AND ENTEREDDATE='" + DateTime.Now.Date.ToShortDateString() + "' AND AgentEmployeeCode='" + empCode + "') AS FAILED_COUNT, (SELECT COUNT(*) FROM BusinessTransactions WHERE STATUS='Completed' AND ENTEREDDATE='" + DateTime.Now.Date.ToShortDateString() + "' AND AgentEmployeeCode='" + empCode + "') AS SUCCESS_COUNT";
using (SqlConnection conn = new SqlConnection(asynchPaymentDBConnectionString))
{
conn.Open();
using (SqlCommand s = new SqlCommand(query, conn))
{
using (SqlDataReader reader = s.ExecuteReader())
{
try
{
if (reader.HasRows)
{
while (reader.Read())
{
result.Add(reader.GetInt32(0));
result.Add(reader.GetInt32(1));
}
}
}
catch (Exception ex)
{
//do something
}
}
}
}
return result;
}
在我的C#的结果变成0 - 0当我试图直接sql服务器显示结果2 - 0
字符串!\\(被视为!\(
我如何使用我的字符串!\\(我的where子句?
编辑:
我尝试使用参数补充说:
s.Parameters.Add("@EmployeeCode", SqlDbType.NVarChar, 16);
s.Parameters["@EmployeeCode"].Value = empCode;
还不行
尝试参数化您的查询。 –
您的代码容易受到[SQL注入](http://www.w3schools.com/sql/sql_injection.asp)的影响。就像@FelixPamittan建议的那样,你应该使用[parameters](https://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlcommand.parameters%28v=vs.110%29.aspx)来构建您的查询而不是串联字符串。 –
链接为重复http://stackoverflow.com/questions/5468425/how-do-parameterized-queries-help-against-sql-injection问题解释什么是SQL注入并显示如何解决它(这也将解决您的问题您试图破解) –