我需要以下查询:
createList(string commaSeparatedElements) {
...
SqlCommand query = new SqlCommand("SELECT * FROM table WHERE id IN ("+commaSeparatedElements+")");
...
}
我想使用参数化查询来编写它,因此检查字符串中的每个元素以防止Sql-Injections.
伪代码:
createList(string commaSeparatedElements) {
...
SqlParameterList elements = new SqlParameterList("@elements", SqlDbType.Int);
SqlParameterList.Values = commaSeparatedElements.split(new Char[1] {','});
SqlCommand query = new SqlCommand("SELECT * FROM table WHERE id IN (@elements)");
query.Parameters.Add(elements);
...
}
C#中是否存在类似的内容,或者我必须自己编写?
编辑:谢谢你的所有答案.当我尽量不使用代码时,我不理解(在过去的日子里有太多不好的经历),精巧和表值参数,即使它们可能完全满足我的需求,也是禁止的.我刚做了一个循环.
string[] elements = commaSeparatedElements.split(new Char[1] {','});
StringList idParamList = new StringList();
for(int i=0;i<elements.Count;i++) {
query.Parameters.AddWithValue("@element"+i,Convert.ToInt32(elements[i]));
idParamList.Add("@element" + i);
}
SqlCommand query = new SqlCommand("SELECT * FROM table WHERE id IN ("+String.Join(",",idParamList)+")");
"小巧玲珑"有一些伏都教:
var ids = new List<int> {1,2,3,4,5};
var rows = conn.Query<SomeType>("select * from table where id in @ids",
new { ids }).ToList();
您会注意到使用中缺少括号in; "dapper"发现了这一点,并自动执行参数扩展.此外,它还可以为您处理所有命令详细信息,包括将数据映射回SomeType实例.
在上面的例子中,它将扩展为等于(近似):
int ids0 = 1, ids1 = 2, ids2 = 3, ids3 = 4, ids4 = 5;
var rows = conn.Query<SomeType>(
"select * from table where id in (@ids0,@ids1,@ids2,@ids3,@ids4)",
new { ids0, ids1, ids2, ids3, ids4 }).ToList();
我使用这样的辅助方法
/// <summary>
/// Adds a sequence of parameters to an existing parameter collection
/// </summary>
/// <typeparam name="T">Type of parameter values</typeparam>
/// <param name="parameters">Existing parameter collection</param>
/// <param name="pattern">Name pattern of parameters. Must be a valid <see langword="int"/> format string</param>
/// <param name="parameterType">Database type of parameters</param>
/// <param name="length">Length of parameter. 0 for numeric parameters</param>
/// <param name="values">Sequence of values</param>
/// <returns>Comma separated string of parameter names</returns>
public static string AddParameters<T>(SqlParameterCollection parameters,
string pattern,
SqlDbType parameterType,
int length,
IEnumerable<T> values) {
if (parameters == null)
throw new ArgumentNullException("parameters");
if (pattern == null)
throw new ArgumentNullException("pattern");
if (values == null)
throw new ArgumentNullException("values");
if (!pattern.StartsWith("@", StringComparison.CurrentCultureIgnoreCase))
throw new ArgumentException("Pattern must start with '@'");
var parameterNames = new List<string>();
foreach (var item in values) {
var parameterName = parameterNames.Count.ToString(pattern, CultureInfo.InvariantCulture);
parameterNames.Add(parameterName);
parameters.Add(parameterName, parameterType, length).Value = item;
}
return string.Join(",", parameterNames.ToArray());
}
它是这样使用的
string sql = "SELECT col1 " +
"FROM Table " +
"WHERE col2 IN ({@Values}) ";
var paramNames = SqlHelper.AddParameters(command.Parameters,
"@Value0",
SqlDbType.Int,
0,
listOfInts);
command.CommandText = sql.Replace("{@Values}", paramNames);
...
(结果是类似的查询SELECT ... IN (@Value0, @Value1, @Value2))
| 归档时间: |
|
| 查看次数: |
8489 次 |
| 最近记录: |