首先，永远不要将值直接连接到SQL语句。这使您可以打开SQL注入，可能的转换问题等。而是使用 SqlParameter [ ^ ]



关于该行的Thena

  if （Convert.ToDateTime（ds.Tables [ 0 ]。行[ 0 ] [ 0 ]。ToString（））>  Convert.ToDateTime（GetDate））

在该语句中，您只检查结果集中第一行的第一列。你不应该遍历结果集并决定每一行的着色。



另外我没有找到 GetDate的代码所以也可能有问题。为什么不使用 System.DateTime.Now 。



一种可能是您选择了SQL中已有的颜色。这样您就不需要在呼叫方面进行任何循环。例如

  SELECT  sp_issu_dt，
 CASE  
 WHEN  sp_issu_dt< GETDATE（） THEN  '  Green' 
 ELSE  '  Red' 
 END   AS  COlor 
 FROM  student_professional 
 WHERE  ... 

除了解决方案1，关于SQL注入，这是你的主要问题。



问题来自通过连接从UI获取的字符串组成的查询。不仅重复的字符串连接是低效的（因为字符串是不可变的;我是否必须解释为什么它会使重复连接变坏？），但是有更重要的问题：它打开了通向良好的大门已知的漏洞称为 SQL注入。



这是它的工作原理： http://xkcd.com/327 。



你明白了吗？从控件中获取的字符串可以是任何东西，包括......一段SQL代码。



怎么办？只需阅读有关此问题和主要补救措施：参数化语句： http://en.wikipedia.org/ wiki / SQL_injection 。



使用ADO.NET，使用：http://msdn.microsoft.com/en-us/library/ff648339.aspx 。



请参阅我过去的答案有更多细节：

在com.ExecuteNonQuery中更新EROR（ ）; ，

嗨姓名不显示？。



-SA

In gridview button i want to color based on condition.

Gridview as follows

Studid  Studname     Medical

 1123    Ramesh       HIMT   (Button) should be in red color
 2313    Suresh       HIMT   (Button) should be in green color

Student professional table as follows

Studid    Pm_Prof_code   Sp_issu_dt

 1123       Medrep         07 July 2015
 2313       Medrep         13 July 2015

In gridview Under Medical column, for studid 1123 if sp_issu_dt date is lesser than the today means i want to give Red color under the column Medical

similarily for studid 2313 if sp_issu_dt is greater than the today means i want to give Green color under the column Medical.

for that i wirtten the code as follows

   Private void Selectbatch()
 {
 SQl = "select sp_issu_dt from student_professional where stud_id = " + id + " and pm_prof_code = 'medrep'";
  ds = SCon.ReadSql_DS(SQl);
   if (ds.Tables[0].Rows.Count != 0)
       {
   ViewState["Medical"] = "MedRep";
           if (Convert.ToDateTime(ds.Tables[0].Rows[0][0].ToString()) > Convert.ToDateTime(GetDate))
                        {
                            med = "himt";
                            ViewState["color"] = "Green";
                        }
         if (Convert.ToDateTime(ds.Tables[0].Rows[0][0].ToString()) < Convert.ToDateTime(GetDate))
                        {
                            med = "himt";
                            ViewState["color"] = "Red";
                        }
                    }
}

protected void Grd1_DataBound(object sender, EventArgs e)
    {

     Button BtnMedical = (Button)Grd1.Rows[i].FindControl("BtnMedical");
            if (null != BtnMedical)
            {
                if (BtnMedical.Text == "HIMT")
                {
                    if (ViewState["Medical"] ==  "MedRep")
                    {
                        if (ViewState["color"] == "Green")
                        {
                            BtnMedical.BackColor = System.Drawing.Color.Green;
                            BtnMedical.ForeColor = System.Drawing.Color.Black;
                        }
                        else
                        {

                            BtnMedical.BackColor = System.Drawing.Color.Red;
                            BtnMedical.ForeColor = System.Drawing.Color.Black;
                        }
                    }
              }
          }
    }

When i run in gridview as follows

Studid  Studname     Medical

1123    Ramesh       HIMT   (Button) should be in red color
2313    Suresh       HIMT   (Button) should be in red color

for both the studid Under medical column shows in red color only.

But for 2313 stud id sp_issu_dt date is greater than today's date only.

in run mode for that sutdid i want to show Medical column for that student shows in red color only.

from my above code what is the mistake i made.

please help me.

First of all, never concatenate values directly to the SQL statements. This leaves you open to SQL injections, possible conversion problems and so on. Instead use SqlParameter[^]

Thena about the line

if (Convert.ToDateTime(ds.Tables[0].Rows[0][0].ToString()) > Convert.ToDateTime(GetDate))

In that statement you only check the first column of the first line in the result set. Shouldn't you loop through the result set and decide the coloring per each row.

Also I didn't find the code for the GetDate so there could also be problems. Why not use System.DateTime.Now.

One possibility is that you chose the color already in the SQL. This way you won't need any loops on the calling side. For example

SELECT sp_issu_dt,
       CASE
          WHEN sp_issu_dt < GETDATE() THEN 'Green'
          ELSE 'Red'
       END AS COlor
FROM student_professional 
WHERE ...

In addition to Solution 1, about SQL injection, which is you major problem.

The problems comes from the query composed by concatenation with strings taken from UI. Not only repeated string concatenation is inefficient (because strings are immutable; do I have to explain why it makes repeated concatenation bad?), but there is way more important issue: it opens the doors to a well-known exploit called SQL injection.

This is how it works: http://xkcd.com/327.

Are you getting the idea? The string taken from a control can be anything, including… a fragment of SQL code.

What to do? Just read about this problem and the main remedy: parametrized statements: http://en.wikipedia.org/wiki/SQL_injection.

With ADO.NET, use this: http://msdn.microsoft.com/en-us/library/ff648339.aspx.

Please see my past answers for some more detail:
EROR IN UPATE in com.ExecuteNonQuery();,
hi name is not displaying in name?.

—SA