And*_*ers 78 sql vb.net asp.net
我正在编写一个搜索功能,并使用参数来考虑这个查询,以防止或至少限制SQL注入攻击.但是,当我通过我的程序运行它时,它不会返回任何内容:
SELECT * FROM compliance_corner WHERE (body LIKE '%@query%') OR (title LIKE '%@query%')
可以像这样使用参数吗?或者它们仅在以下情况下有效:
SELECT * FROM compliance_corner WHERE body LIKE '%<string>%'(<string>搜索对象在哪里).
编辑:我用VB.NET构建这个函数,这对你们贡献的语法有影响吗?
此外,我在SQL Server中运行此语句:SELECT * FROM compliance_corner WHERE (body LIKE '%max%') OR (title LIKE%max%')`并返回结果.
Jam*_*ran 111
好吧,我会选择:
Dim cmd as New SqlCommand(
"SELECT * FROM compliance_corner"_
+ " WHERE (body LIKE @query )"_
+ " OR (title LIKE @query)")
cmd.Parameters.Add("@query", "%" +searchString +"%")
Joh*_*ohn 78
您的可视基本代码看起来像这样:
Dim cmd as New SqlCommand("SELECT * FROM compliance_corner WHERE (body LIKE '%' + @query + '%') OR (title LIKE '%' + @query + '%')")
cmd.Parameters.Add("@query", searchString)