在后台的搜索模型加入如下的代码:
<script language="C#" Runat="server">
private string SqlFormat(string str)
{
if(str=="" || str==null)
{
return "";
}
str=str.Replace("_","[_]");
str=str.Replace("%","[%]");
str=str.Replace("'","''");
str=str.Replace("\"","\"");
if(str.Length>20)
{
str=str.Substring(0,20); //截取前20个字符
}
return Server.HtmlEncode(str);
}
</script>
<script type="text/javascript">
function c_keyword()
{
if($("username").value=="")
{
alert("请输入关键词!");
$("username").focus();
return false;
}
}
</script>
<form action="/e/search/" target="zdy_search" method="get" name="pa_member">
产品搜索:<input type="text" size="15/" maxlength="50" id="title" name="title" value="<%=Request.QueryString["username"]%>"/> <input type="hidden" value="49" name="modelid" /><input type="hidden" value="1" name="siteid" /><input type="submit" value=" 搜索 " class="button" />
</form>
<ul class="product_pic">
<%
string kw=SqlFormat(Request.QueryString["username"]);//一定要SqlFormat格式化,否则容易被sql注入
DataTable dt=Get_Data("select * from pa_member " );
DataRow dr;
if(dt.Rows.Count>0)
{
%>
<%
for(int i=0;i<dt.Rows.Count;i++)
{
dr=dt.Rows
;
%>
<td height=20 colspan=2><b>会员详细信息</b></td>
<tr><td align=right class='tdhead'>邮箱</td><td><input type=text name='email' id='email' value="<%=dr["email"].ToString()%>" style='height:18px;border:1px solid #cccccc;text-align:left;width:180px' maxlength='100' ></td></tr>
<%
}
}
else
{
Response.Write("无匹配的记录,请更换关键字重新搜索!");
}
%>
</ul>
在前台搜索出现如下图片
我想做的是搜索某个会员的详细信息,于是我就改了这句DataTable dt=Get_Data("select * from pa_member " )为DataTable dt=Get_Data("select * from pa_member where username=kw " ); 就会出现下面的错 
