更新时间:2023-02-08 23:10:38
首先,永远不要将值直接连接到SQL语句。这使您可以打开SQL注入,可能的转换问题等。而是使用 SqlParameter [ ^ ]
关于该行的Thenaif (Convert.ToDateTime(ds.Tables [ 0 ]。行[ 0 ] [ 0 ]。ToString())> Convert.ToDateTime(GetDate))
在该语句中,您只检查结果集中第一行的第一列。你不应该遍历结果集并决定每一行的着色。
另外我没有找到GetDate的代码
所以也可能有问题。为什么不使用System.DateTime.Now
。
一种可能是您选择了SQL中已有的颜色。这样您就不需要在呼叫方面进行任何循环。例如SELECT sp_issu_dt,
CASE
WHEN sp_issu_dt< GETDATE() THEN ' Green'
ELSE ' Red'
END AS COlor
FROM student_professional
WHERE ...
除了解决方案1,关于SQL注入,这是你的主要问题。
问题来自通过连接从UI获取的字符串组成的查询。不仅重复的字符串连接是低效的(因为字符串是不可变的;我是否必须解释为什么它会使重复连接变坏?),但是有更重要的问题:它打开了通向良好的大门已知的漏洞称为 SQL注入。
这是它的工作原理: http://xkcd.com/327 。
你明白了吗?从控件中获取的字符串可以是任何东西,包括......一段SQL代码。
怎么办?只需阅读有关此问题和主要补救措施:参数化语句: http://en.wikipedia.org/ wiki / SQL_injection 。
使用ADO.NET,使用:http://msdn.microsoft.com/en-us/library/ff648339.aspx 。
请参阅我过去的答案有更多细节:
在com.ExecuteNonQuery中更新EROR( ); ,
嗨姓名不显示?。
-SA
In gridview button i want to color based on condition.
Gridview as follows
Studid Studname Medical
1123 Ramesh HIMT (Button) should be in red color
2313 Suresh HIMT (Button) should be in green color
Student professional table as follows
Studid Pm_Prof_code Sp_issu_dt
1123 Medrep 07 July 2015
2313 Medrep 13 July 2015
In gridview Under Medical column, for studid 1123 if sp_issu_dt date is lesser than the today means i want to give Red color under the column Medical
similarily for studid 2313 if sp_issu_dt is greater than the today means i want to give Green color under the column Medical.
for that i wirtten the code as follows
Private void Selectbatch()
{
SQl = "select sp_issu_dt from student_professional where stud_id = " + id + " and pm_prof_code = 'medrep'";
ds = SCon.ReadSql_DS(SQl);
if (ds.Tables[0].Rows.Count != 0)
{
ViewState["Medical"] = "MedRep";
if (Convert.ToDateTime(ds.Tables[0].Rows[0][0].ToString()) > Convert.ToDateTime(GetDate))
{
med = "himt";
ViewState["color"] = "Green";
}
if (Convert.ToDateTime(ds.Tables[0].Rows[0][0].ToString()) < Convert.ToDateTime(GetDate))
{
med = "himt";
ViewState["color"] = "Red";
}
}
}
protected void Grd1_DataBound(object sender, EventArgs e)
{
Button BtnMedical = (Button)Grd1.Rows[i].FindControl("BtnMedical");
if (null != BtnMedical)
{
if (BtnMedical.Text == "HIMT")
{
if (ViewState["Medical"] == "MedRep")
{
if (ViewState["color"] == "Green")
{
BtnMedical.BackColor = System.Drawing.Color.Green;
BtnMedical.ForeColor = System.Drawing.Color.Black;
}
else
{
BtnMedical.BackColor = System.Drawing.Color.Red;
BtnMedical.ForeColor = System.Drawing.Color.Black;
}
}
}
}
}
When i run in gridview as follows
Studid Studname Medical
1123 Ramesh HIMT (Button) should be in red color
2313 Suresh HIMT (Button) should be in red color
for both the studid Under medical column shows in red color only.
But for 2313 stud id sp_issu_dt date is greater than today's date only.
in run mode for that sutdid i want to show Medical column for that student shows in red color only.
from my above code what is the mistake i made.
please help me.
First of all, never concatenate values directly to the SQL statements. This leaves you open to SQL injections, possible conversion problems and so on. Instead use SqlParameter[^]
Thena about the lineif (Convert.ToDateTime(ds.Tables[0].Rows[0][0].ToString()) > Convert.ToDateTime(GetDate))
In that statement you only check the first column of the first line in the result set. Shouldn't you loop through the result set and decide the coloring per each row.
Also I didn't find the code for theGetDate
so there could also be problems. Why not useSystem.DateTime.Now
.
One possibility is that you chose the color already in the SQL. This way you won't need any loops on the calling side. For exampleSELECT sp_issu_dt, CASE WHEN sp_issu_dt < GETDATE() THEN 'Green' ELSE 'Red' END AS COlor FROM student_professional WHERE ...
In addition to Solution 1, about SQL injection, which is you major problem.
The problems comes from the query composed by concatenation with strings taken from UI. Not only repeated string concatenation is inefficient (because strings are immutable; do I have to explain why it makes repeated concatenation bad?), but there is way more important issue: it opens the doors to a well-known exploit called SQL injection.
This is how it works: http://xkcd.com/327.
Are you getting the idea? The string taken from a control can be anything, including… a fragment of SQL code.
What to do? Just read about this problem and the main remedy: parametrized statements: http://en.wikipedia.org/wiki/SQL_injection.
With ADO.NET, use this: http://msdn.microsoft.com/en-us/library/ff648339.aspx.
Please see my past answers for some more detail:
EROR IN UPATE in com.ExecuteNonQuery();,
hi name is not displaying in name?.
—SA