我正在使用此查询进行分页
string selectStatement = "SELECT * FROM ( SELECT ROW_NUMBER() OVER ( ORDER BY @sortMember @sortDirection ) AS RowNum, * FROM School) AS Rows WHERE RowNum > @pageFrom AND RowNum < @pageTo ";
command.Parameters.Add("@sortDirection", System.Data.SqlDbType.NVarChar, 50);
command.Parameters["@sortDirection"].Value = cmd.SortDescriptors.Count == 0 ? "" : cmd.SortDescriptors[0].SortDirection == System.ComponentModel.ListSortDirection.Ascending ? "" : "DESC";
如果sortDirection是""我得到一个例外.如果你像这样使用它它工作正常但我想让它参数化查询.解决办法是什么?
string selectStatement = string.Format("SELECT * FROM ( SELECT ROW_NUMBER() OVER ( ORDER BY @sortMember {0} ) AS RowNum, * FROM School) AS Rows WHERE RowNum > @pageFrom AND RowNum < @pageTo ",System.ComponentModel.ListSortDirection.Ascending ? "" : "DESC);
我得到的例外是:'@sortDirection'附近的语法不正确.
您无法对诸如表名,列,order-by等内容进行参数化.它们是查询.您需要将预期值列入白名单(以避免SQL注入)并将其直接连接到查询中(这是您的string.Format用法所做的).
目前,order-by位于变量的值上,每行不会更改.基本上,排序(如写)被忽略.