更新时间:2021-11-24 02:49:44
只需尝试以下一个方法
Just Try this one
protected void DropDownList1_SelectedIndexChanged(object sender, EventArgs e)<br /> { <br /> DataSet Ds=new DataSet();<br /> con = new SqlConnection("Data Source=.;Initial Catalog=abc;Integrated Security=True");<br /> cmd = new SqlCommand("select * from salescounts where =''"+DropDownList1.Text+"''", con);<br /> SqlDataAdapter DA = new SqlDataAdapter(cmd);<br /> DA.Fill(ds); <br /> if(Ds.Tables[0].Rows.Count>0)<br /> {<br /> GridView1.DataSource = ds;<br /> GridView1.DataBind();<br /> Label1.Text = "Result found:" + GridView1.Rows.Count;<br /><br /> }<br /> else<br /> {<br /> Label1.Text = "not found";<br /> }<br /><br /> con.Close();<br /> <br />}
快速建议:
Quick Suggestion :
cmd = new SqlCommand(从salescounts中选择*,其中=' '"+ DropDownList1.Text +"'',con);
cmd = new SqlCommand("select * from salescounts where =''"+DropDownList1.Text+"''", con);
请不要从UI级别执行此类SQL查询.它将导致SQL注入.始终使用参数化查询/存储过程.
Thansk :-D
Never Execute SQL Query like this from UI level. It will causes SQL Injection. Always used Parameterized query / Stored Procedure .
Thansk :-D