我正在尝试将SQL查询参数与WHERE ... INAzure Cosmos DB SQL API查询中的语句一起使用:
var componentDesignGuids = new List<Guid>();
// ...
var queryDefinition = new QueryDefinition(
"SELECT componentDesign.guid, componentDesign.component.name, componentDesign.component.componentType " +
"FROM components componentDesign " +
"WHERE componentDesign.guid IN (@componentDesignGuids)")
.WithParameter("@componentDesignGuids", string.Join(",", componentDesignGuids.Select(guid => $"\"{guid}\""))));
但这会导致查询,其中被替换的参数是单个字符串,例如IN ("guid0, guid1, guid2")。由于这是一个IN子句,因此我想在其中放置不确定数量的字符串,例如IN ("\"guid0\", \"guid1\", \"guid2\"")。我意识到我可以使用插值字符串来完成这项工作,但是我希望输入尽可能安全以防止注入。如何使用QueryDefinition和/或指定此内容WithParameter?
看到这个问题后,我不确定为什么DocDb实例的以下代码不起作用:
var userApps = _docs.CreateDocumentQuery(UriFactory.CreateDocumentCollectionUri(Constants.Databases.Applications.ID, Constants.Databases.Applications.Collections.USER_APPS),
new SqlQuerySpec(@"SELECT r.appId FROM ROOT r WHERE r.userId = @userId", (@"@userId", userId).ToSqlParameters()))
.ToList()
.Select(s => (string)s.appId);
var query = _docs.CreateDocumentQuery<Document>(UriFactory.CreateDocumentCollectionUri(Constants.Databases.Applications.ID, Constants.Databases.Applications.Collections.APP_DEFINITIONS),
new SqlQuerySpec(@"SELECT r.id, r.appName FROM ROOT r WHERE r.appId IN (@userApps)", (@"@userApps", userApps.ToArray()).ToSqlParameters()),
new FeedOptions { EnableCrossPartitionQuery = true })
.AsDocumentQuery();
当我执行此操作时,尽管我知道数据应该返回我一个结果集,但每次它都返回为空。
.Select()将我输入的字符串返回string.Join到以逗号分隔的列表中。
例如:
var userApps = string.Join(@",", _docs.CreateDocumentQuery(UriFactory.CreateDocumentCollectionUri(Constants.Databases.Applications.ID, Constants.Databases.Applications.Collections.USER_APPS),
new SqlQuerySpec(@"SELECT r.appId FROM ROOT r WHERE r.userId = @userId", (@"@userId", userId).ToSqlParameters())) …