I am developing a VB.NET ASPX file and am trying to run a string query in VB.NET, but now I get the above error message. How can I determine the cause? Some of the code in this ASPX file is below. The line it errors on is: DSPageData = GlobalFunctions.GlobalF.GetSQLServerDataSet(SQL)
But this same function works for one of my other SQL strings, so I think the problem is somewhere in this SQL string:
arrType.Add("Product and Process")
arrType.Add("Product")
arrType.Add("Process")
dType.DataSource = arrType
dType.DataBind()
arrPEType.Add("INC")
arrPEType.Add("NC")
arrPEType.Add("QC")
peType.DataSource = arrPEType
peType.DataBind()
...
Select Case dType.SelectedValue
Case "Product and Process":
TheType = "(SMARTSOLVE.V_QXP_ALL_EXCEPTION.QXP_BASE_EXCEPTION='PXP_PRODUCT_QXP' Or SMARTSOLVE.V_QXP_ALL_EXCEPTION.QXP_BASE_EXCEPTION)='PXP_PROCESS_QXP')"
Case "Product":
TheType = "(SMARTSOLVE.V_QXP_ALL_EXCEPTION.QXP_BASE_EXCEPTION='PXP_PRODUCT_QXP')"
Case "Process":
TheType = "(SMARTSOLVE.V_QXP_ALL_EXCEPTION.QXP_BASE_EXCEPTION='PXP_PROCESS_QXP')"
End Select
Select Case peType.SelectedValue
Case "INC":
PE_Type = "(substring(a.QXP_EXCEPTION_NO, charindex('-', a.QXP_EXCEPTION_NO)+1, 4)='INC')"
Case "NC":
PE_Type = "(substring(a.QXP_EXCEPTION_NO, charindex('-', a.QXP_EXCEPTION_NO)+1, 4)='NC')"
Case "QC":
PE_Type = "(substring(a.QXP_EXCEPTION_NO, charindex('-', a.QXP_EXCEPTION_NO)+1, 4)='QC')"
End Select
If dOrgUnit.SelectedValue = "A开发者_开发知识库ll" then
TheOrgUnit = "<> 'All'"
Else
TheOrgUnit = "='" & dOrgUnit.SelectedValue & "'"
End If
Dim SQL As String = "SELECT CASE SMARTSOLVE.V_QXP_ALL_EXCEPTION.QXP_BASE_EXCEPTION WHEN 'PXP_PROCESS_QXP' THEN SMARTSOLVE.V_QXP_ALL_EXCEPTION.QXP_SHORT_DESC ELSE EPF_FAILURE_MODE END AS QXP_SHORT_DESC, " & _
"Count(distinct SMARTSOLVE.V_QXP_ALL_EXCEPTION.QXP_EXCEPTION_NO) AS CountOfQXP_EXCEPTION_NO " & _
"FROM SMARTSOLVE.V_QXP_ALL_EXCEPTION LEFT OUTER JOIN " & _
"SMARTSOLVE.V_EPL_EXCEPTION_PART_LOT ON V_QXP_ALL_EXCEPTION.QXP_ID = V_EPL_EXCEPTION_PART_LOT.EPL_QXP_ID LEFT OUTER JOIN " & _
"SMARTSOLVE.V_EPF_EXPN_PART_FMODE ON V_EPL_EXCEPTION_PART_LOT.EPL_EPA_ID = V_EPF_EXPN_PART_FMODE.EPF_EPA_ID " & _
"LEFT OUTER JOIN SMARTSOLVE.V_PXP_PRODUCT_QXP ON SMARTSOLVE.V_QXP_ALL_EXCEPTION.QXP_ID = SMARTSOLVE.V_PXP_PRODUCT_QXP.QXP_ID " & _
"LEFT OUTER JOIN SMARTSOLVE.V_PXP_PROCESS_QXP ON SMARTSOLVE.V_QXP_ALL_EXCEPTION.QXP_ID = SMARTSOLVE.V_PXP_PROCESS_QXP.QXP_ID " & _
"WHERE SMARTSOLVE.V_QXP_ALL_EXCEPTION.QXP_OCCURENCE_DATE >= CONVERT(DATETIME, '" & FirstMonthDate & " 00:00:00', 102) " & _
"And SMARTSOLVE.V_QXP_ALL_EXCEPTION.QXP_OCCURENCE_DATE <= CONVERT(DATETIME, '" & LastMonthDate & " 23:59:59', 102) AND " & _
"SMARTSOLVE.V_QXP_ALL_EXCEPTION.QXP_XRS_DESCRIPTION<>'Cancel' AND " & _
"SMARTSOLVE.V_QXP_ALL_EXCEPTION.QXP_ORU_NAME" & TheOrgUnit & _
" and " & TheType & _
"AND (CASE V_QXP_ALL_EXCEPTION.QXP_BASE_EXCEPTION WHEN 'PXP_PROCESS_QXP' THEN V_PXP_PROCESS_QXP.PXP_OPR_NAME ELSE V_PXP_PRODUCT_QXP.PXP_OPR_NAME END <> 'Non-Diagnostic' OR " & _
"CASE V_QXP_ALL_EXCEPTION.QXP_BASE_EXCEPTION WHEN 'PXP_PROCESS_QXP' THEN V_PXP_PROCESS_QXP.PXP_OPR_NAME ELSE V_PXP_PRODUCT_QXP.PXP_OPR_NAME END IS NULL) " & _
"GROUP BY CASE SMARTSOLVE.V_QXP_ALL_EXCEPTION.QXP_BASE_EXCEPTION WHEN 'PXP_PROCESS_QXP' THEN SMARTSOLVE.V_QXP_ALL_EXCEPTION.QXP_SHORT_DESC ELSE EPF_FAILURE_MODE END " & _
"ORDER BY Count(distinct SMARTSOLVE.V_QXP_ALL_EXCEPTION.QXP_EXCEPTION_NO) DESC"
Dim DSPageData as new System.Data.DataSet
DSPageData = GlobalFunctions.GlobalF.GetSQLServerDataSet(SQL)
You have one too many ) here:
Case "Product and Process"
TheType = "(SMARTSOLVE.V_QXP_ALL_EXCEPTION.QXP_BASE_EXCEPTION='PXP_PRODUCT_QXP' Or SMARTSOLVE.V_QXP_ALL_EXCEPTION.QXP_BASE_EXCEPTION)='PXP_PROCESS_QXP')"
It looks like " and " & TheType & _ in you code above should be replace with:
" and " & PE_Type & _.
I really hope this doesn't mean you're running with Option Explicit turned off. For shame.
But please take my comments on sql injection to heart. There are people out there running software that randomly trolls web sites looking for vulnerable pages, and even if you don't have a plain text input I could craft an http request that would submit anything I wanted via the dOrgUnit dropdown list. Including something like: ='1';DROP Table SMARTSOLVE.V_QXP_ALL_EXCEPTION;--
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论