am going to explain it in pictures and Source Code
我将在图片和源代码中解释它
Front Design
Back-end Code
private void AddRecord(object sender, RoutedEventArgs e)
{
string date = datee.Text + " " + DateTime.Now.ToLongTimeString();
if (datee.Text == "" || cusname.SelectedValue == null || Vanda.SelectedValue == null || price.SelectedValue == null || bags.Text == "")
{
MessageBox.Show("please fill the data");
}
else
{
DataRowView dt = (DataRowView)Vanda.SelectedItem;
string vda = dt["vanda"].ToString();
DataRowView dt2 = (DataRowView)price.SelectedItem;
string data2 = dt2["price"].ToString();
decimal dta = Convert.ToDecimal(data2);
Int32 pricee = Convert.ToInt32(dta);
decimal bag = Convert.ToDecimal(bags.Text);
decimal credit = pricee * bag;
DataRowView cus = (DataRowView)cusname.SelectedItem;
string cusidd = cus["id"].ToString();
int cusid = Convert.ToInt16(cusidd);
con.Open();
SqlCommand cmd5 = new SqlCommand("SELECT price - retailprice FROM vanda where vanda = '" + vda + "' and price = '" + pricee + "'", con);
SqlDataReader reader = cmd5.ExecuteReader();
reader.Read();
string val = reader.GetValue(0).ToString();
decimal valu = Convert.ToDecimal(val);
Int32 profit = Convert.ToInt32(valu);
reader.Close();
SqlCommand cmd3 = new SqlCommand("insert into records (cusid,datee,description,vanda,price,bag,credit,debit,profit) values ('" + cusid + "','" + date + "','" + des.Text + "','" + vda + "','" + pricee + "','" + bags.Text + "','" + credit + "','','"+profit+"')", con);
cmd3.ExecuteNonQuery();
MessageBox.Show("Data Inserted");
con.Close();
}
}
DataGrid Code
private void enddate_SelectedDateChanged(object sender, SelectionChangedEventArgs e)
{
if (startdate.Text == "")
{
MessageBox.Show("Please Select Starting Date");
}
else
{
con.Open();
SqlDataAdapter adapter = new SqlDataAdapter(" i need here Query ", con);
DataSet ds = new DataSet();
adapter.Fill(ds);
data.DataContext = ds.Tables[0];
}
}
SQL Server Database
SQL Server数据库
i hope you will understand it clearly. now clear the bugs and improve my code/logic/query (^_^). bla bla bla bla bla bla bla bla bla bla bla
我希望你能清楚地理解它。现在清除错误并改进我的代码/逻辑/查询(^ _ ^)。 bla bla bla bla bla bla bla bla bla bla bla
3 个解决方案
#1
1
First, your SQL should be using named parameters to avoid SQL Injection Attacks:
首先,您的SQL应该使用命名参数来避免SQL注入攻击:
select r.datee,c.name,r.description,r.vanda,r.price,r.bag,r.credit,r.debit
from records as r,
customer as c
where r.cusid = c.id
and c.name = @cname
and r.datee BETWEEN @startDate AND @endDate
When you create these variables, which you will pass into your query, format them as follows:
当您创建要传递给查询的变量时,请按以下格式对其进行格式化:
var startDate = DateTime.Parse(datee.Text).ToString("M/d/yyyy");
var endDate = DateTime.Now.ToString("M/d/yyyy") + " 23:59:59";
This will convert the date values to the format your database expects.
这会将日期值转换为数据库期望的格式。
#2
1
select r.datee,c.name,r.description,r.vanda,r.price,r.bag,r.credit,r.debit
from records r
JOIN customer c ON r.cusid = c.id
WHERE c.name = 'aizaz' AND DateColumn BETWEEN StartDate AND EndDATE
#3
0
The database doesn't store the dates in any specific string format. A date is a date and it has no specific format. Formatting the output of a date is a UI thing.
数据库不以任何特定字符串格式存储日期。日期是日期,没有特定的格式。格式化日期的输出是UI的事情。
You get the actual DateTime value of a DatePicker using the SelectedDate property. You should use pass these values as parameters to your command:
您可以使用SelectedDate属性获取DatePicker的实际DateTime值。您应该将这些值作为参数传递给您的命令:
SqlCommand cmd = new SqlCommand("select r.datee,c.name,r.description,r.vanda,r.price,r.bag,r.credit,r.debit from records as r, customer as c where r.cusid = c.id and c.name = @cname and r.datee BETWEEN @startDate AND @endDate");
cmd.Parameters.AddWithValue("@startDate", datePicker1.SelectedDate.Value.Date);
cmd.Parameters.AddWithValue("@endDate", datePicker2.SelectedDate.Value.Date.AddHours(23).AddMinutes(59).AddSeconds(59));
#1
1
First, your SQL should be using named parameters to avoid SQL Injection Attacks:
首先,您的SQL应该使用命名参数来避免SQL注入攻击:
select r.datee,c.name,r.description,r.vanda,r.price,r.bag,r.credit,r.debit
from records as r,
customer as c
where r.cusid = c.id
and c.name = @cname
and r.datee BETWEEN @startDate AND @endDate
When you create these variables, which you will pass into your query, format them as follows:
当您创建要传递给查询的变量时,请按以下格式对其进行格式化:
var startDate = DateTime.Parse(datee.Text).ToString("M/d/yyyy");
var endDate = DateTime.Now.ToString("M/d/yyyy") + " 23:59:59";
This will convert the date values to the format your database expects.
这会将日期值转换为数据库期望的格式。
#2
1
select r.datee,c.name,r.description,r.vanda,r.price,r.bag,r.credit,r.debit
from records r
JOIN customer c ON r.cusid = c.id
WHERE c.name = 'aizaz' AND DateColumn BETWEEN StartDate AND EndDATE
#3
0
The database doesn't store the dates in any specific string format. A date is a date and it has no specific format. Formatting the output of a date is a UI thing.
数据库不以任何特定字符串格式存储日期。日期是日期,没有特定的格式。格式化日期的输出是UI的事情。
You get the actual DateTime value of a DatePicker using the SelectedDate property. You should use pass these values as parameters to your command:
您可以使用SelectedDate属性获取DatePicker的实际DateTime值。您应该将这些值作为参数传递给您的命令:
SqlCommand cmd = new SqlCommand("select r.datee,c.name,r.description,r.vanda,r.price,r.bag,r.credit,r.debit from records as r, customer as c where r.cusid = c.id and c.name = @cname and r.datee BETWEEN @startDate AND @endDate");
cmd.Parameters.AddWithValue("@startDate", datePicker1.SelectedDate.Value.Date);
cmd.Parameters.AddWithValue("@endDate", datePicker2.SelectedDate.Value.Date.AddHours(23).AddMinutes(59).AddSeconds(59));