我遇到了一个复杂查询的末尾问题:
SQLString = "SELECT i.CONCOM,
COALESCE(SUM(CASE
WHEN C.CATEGORY_ID = '30' THEN 0
ELSE t.LOGMINS END), 0) AS TotalWithoutNew,
COALESCE(SUM(t.LOGMINS), 0) AS TotalAllId
FROM Inquiry AS i
INNER JOIN TIMELOG AS t ON t.INQUIRY_ID = i.INQUIRY_ID
INNER JOIN PROD AS P ON i.PROD_ID = P.PROD_ID
INNER JOIN CATEGORY AS C ON P.CATEGORY_ID = C.CATEGORY_ID
WHERE (DATEPART(m, ESCDATE) = " & objmonth & ")
AND (DATEPART(y, ESCDATE) = " & objyear & ")
GROUP BY i.CONCOM
ORDER BY concom ASC"
如果不使用where子句,查询可以正常工作,但是当我加入where子句时,它返回空值。 ESCDATE 是一个DATETIME字段。起初我认为它没有传递整数而是字符串,但它确实传递了整数。
在ASP脚本中,我使用Request.Querystring获取月份和年份,并且我希望只检查来自指定年份和月份的ESC日期的结果。
Request.Querystring中获取这些值并将它们连接到查询语句中,那么你将会遇到 SQL 注入问题。 - Martin Smith