今天晚上看论坛,有人提问说,Parameters.AddWithValue方法在有些情况下不好使,他的写法是这样的:
string strWhere = "'%美%'"; strSql = "SELECT * FROM area Where [name] like @strWhere";//这个就不好使 cmd.Parameters.AddWithValue("@strWhere", strWhere);
这是因为,ASP.NET在生成SQL语句时,会在Like后面再加上一次单引号,造成错误,如果打开 SQL Server的跟踪管理器,可以看到执行的语句如下:
exec sp_executesql N'SELECT * FROM Article Where [Title] like @strWhere',N'@strWhere nvarchar(5)',@strWhere=N'%为什么%'
不难理解,在 OldDbCommand 中也会有类似的做法。
正确的代码为:
<%@ Page Language="C#" %>
<%@ Import Namespace="System.Data.SqlClient" %>
<script runat="server">
protected void Page_Load(object sender, EventArgs e)
{
string connectionString = @"Data Source=(local);Initial Catalog=jGroup2;User Id=sa;Password=myPassword;";
SqlConnection con = new SqlConnection(connectionString);
con.Open();
SqlCommand cmd = new SqlCommand();
cmd.Connection = con;
string strWhere = "%为什么%";
string strSql = "SELECT * FROM B_Article Where [Title] like @strWhere";
cmd.Parameters.AddWithValue("@strWhere", strWhere);
cmd.CommandText = strSql;
SqlDataReader dr = cmd.ExecuteReader();
while (dr.Read())
{
Response.Write(dr["Title"] + "<br>");
}
con.Close();
con.Dispose();
}
</script>