我试图将数组参数传递给C#中的SQL commnd,如下所示,但它不起作用.有没有人见过它?
string sqlCommand = "SELECT * from TableA WHERE Age IN (@Age)";
SqlConnection sqlCon = new SqlConnection(connectString);
SqlCommand sqlComm = new SqlCommand();
sqlComm.Connection = sqlCon;
sqlComm.CommandType = System.Data.CommandType.Text;
sqlComm.CommandText = sqlCommand;
sqlComm.CommandTimeout = 300;
sqlComm.Parameters.Add("@Age", SqlDbType.NVarChar);
StringBuilder sb = new StringBuilder();
foreach (ListItem item in ddlAge.Items)
{
if (item.Selected)
{
sb.Append(item.Text + ",");
}
}
sqlComm.Parameters["@Age"].Value = sb.ToString().TrimEnd(',');
我需要以下查询:
createList(string commaSeparatedElements) {
...
SqlCommand query = new SqlCommand("SELECT * FROM table WHERE id IN ("+commaSeparatedElements+")");
...
}
我想使用参数化查询来编写它,因此检查字符串中的每个元素以防止Sql-Injections.
伪代码:
createList(string commaSeparatedElements) {
...
SqlParameterList elements = new SqlParameterList("@elements", SqlDbType.Int);
SqlParameterList.Values = commaSeparatedElements.split(new Char[1] {','});
SqlCommand query = new SqlCommand("SELECT * FROM table WHERE id IN (@elements)");
query.Parameters.Add(elements);
...
}
C#中是否存在类似的内容,或者我必须自己编写?
编辑:谢谢你的所有答案.当我尽量不使用代码时,我不理解(在过去的日子里有太多不好的经历),精巧和表值参数,即使它们可能完全满足我的需求,也是禁止的.我刚做了一个循环.
string[] elements = commaSeparatedElements.split(new Char[1] {','});
StringList idParamList = new StringList();
for(int i=0;i<elements.Count;i++) {
query.Parameters.AddWithValue("@element"+i,Convert.ToInt32(elements[i]));
idParamList.Add("@element" + i);
}
SqlCommand query = new SqlCommand("SELECT * FROM table …