在c#上的查询中添加参数
Add parameters in query on c#
在我的 aspx 页面后面的代码 中,我无法在 sql 查询中的 Parameters 上传递值。
我用的是MySql数据库。
第 1 步:
我在 List 查询的输出中添加:
while (reader.Read())
{
idcolor = reader["idcolor"].ToString();
colorList.Add(idcolor.ToString());
}
ns = string.Join("','", colorList.ToArray());
在调试中输出是:
ns = red','green
第 2 步:
我需要在 sql 查询中使用 string ns 的值。
并在parameters中传递string ns的值:
str = null;
str = ns == null ? "" : ns.ToString();
sql = @" SELECT * FROM Experience WHERE Colors IN (?); ";
DataSet dsColors = new DataSet();
using (OdbcConnection cn =
new OdbcConnection(ConfigurationManager.ConnectionStrings["ConnMySQL"].ConnectionString))
{
cn.Open();
using (OdbcCommand cmd = new OdbcCommand(sql, cn))
{
cmd.Parameters.AddWithValue("param1", Server.UrlDecode(str.ToString()));
OdbcDataAdapter adapter = new OdbcDataAdapter(cmd);
adapter.Fill(dsColors);
}
}
return dsColors;
第 3 步:
如果在查询中使用:
sql = @" SELECT * FROM Experience WHERE Colors IN (?); ";
dataset中的输出为空。
如果在查询中使用:
sql = @" SELECT * FROM Experience WHERE Colors IN ( '" + Server.UrlDecode(str.ToString()) + "' ); ";
dataset中的输出是正确的。
有人知道我该如何解决吗?
你能推荐一下吗?
你能帮帮我吗?
提前谢谢你。
您必须使用 MySql.Data.MySqlClient; 连接到 Mysql:
sql = @" SELECT * FROM Experience WHERE Colors IN (@param1,@param2) ";
DataSet dsColors = new DataSet();
using ( MySqlConnection cn =
new MySqlConnection(ConfigurationManager.ConnectionStrings["ConnMySQL"].ConnectionString))
{
cn.Open();
using (MySqlCommand cmd = new MySqlCommand(sql, cn))
{
cmd.Parameters.Add("@param1", colorList[0]/ToString());
cmd.Parameters.Add("@param2",colorList[1].ToString());
MySqlDataAdapter adapter = new MySqlaAdapter(cmd);
adapter.Fill(dsColors);
}
}
如果你不想为每种颜色添加一个参数,你可以选择
MySql.Data.MySqlClient.MySqlHelper.EscapeString()
这不是很漂亮,但它是内部参数使用的,您可以添加动态数量的值,并且可以安全地防止注入
while (reader.Read())
{
idcolor = reader["idcolor"].ToString();
colorList.Add(MySql.Data.MySqlClient.MySqlHelper.EscapeString(idcolor));
}
ns = string.Join("','", colorList.ToArray());
您看起来与上下文很接近,但尝试一次获取一种颜色的结果并不断更改参数的值。通过调用 FILL,它只会在每次调用时继续向 table 添加记录。但是,将您的 FILL 设置为指向 DataTable 而不是 DataSet。所以它不会一直将 TABLES 放入您的数据集中,而是使用一个继续附加到它的数据。如果您有 1 种颜色或 1000 种颜色,这将有效...
... rest of previous code BEFORE the OdbcCommand
... and ensure clean values for your colors as others have noted.
using (OdbcCommand cmd = new OdbcCommand(sql, cn))
{
// Just to add the parameter "place-holder" for your query
cmd.Parameters.AddWithValue("param1", "");
// DataTable ONCE to receive all the colors being queried
DataTable tblAllColors = new DataTable();
// build the adapter ONCE no matter how many colors you will be querying
OdbcDataAdapter adapter = new OdbcDataAdapter(cmd);
// so for this loop, you are just getting the colors one at a time.
foreach( string s in colorList )
{
// next color you are trying to get... just overwrite the
// single parameter with the new color.
adapter.SelectCommand.Parameters[0].Value = s;
adapter.Fill(tblAllColors);
}
// you would otherwise have to build your query dynamically and keep
// adding parameter-placeholders "?" for each color in a comma list
// as you were attempting... which would be a slightly different query.
}
dsColors.Tables.Add( tblAllColors );
您需要为 in 子句中的每个项目添加参数和占位符。例如
sql = @" SELECT * FROM Experience WHERE Colors IN (?,?,?); ";
然后为每一个添加参数。
cmd.Parameters.AddWithValue("param1", Server.UrlDecode(str.ToString()));
例子
List<string> colours = new List<string>();
colours.Add("black");
colours.Add("red");
var placeHolders = string.Join(",",(from colour in colours select "?").ToList());
var sql = @String.Format(" SELECT * FROM Experience WHERE Colors IN ({0}); ",placeHolders);
DataSet dsColors = new DataSet();
using (OdbcConnection cn = new OdbcConnection(ConnectionString))
{
cn.Open();
using (OdbcCommand cmd = new OdbcCommand(sql, cn))
{
foreach(var colour in colours)
{
cmd.Parameters.AddWithValue(colour, colour);
}
OdbcDataAdapter adapter = new OdbcDataAdapter(cmd);
adapter.Fill(dsColors);
}
}
在我的 aspx 页面后面的代码 中,我无法在 sql 查询中的 Parameters 上传递值。
我用的是MySql数据库。
第 1 步:
我在 List 查询的输出中添加:
while (reader.Read())
{
idcolor = reader["idcolor"].ToString();
colorList.Add(idcolor.ToString());
}
ns = string.Join("','", colorList.ToArray());
在调试中输出是:
ns = red','green
第 2 步:
我需要在 sql 查询中使用 string ns 的值。
并在parameters中传递string ns的值:
str = null;
str = ns == null ? "" : ns.ToString();
sql = @" SELECT * FROM Experience WHERE Colors IN (?); ";
DataSet dsColors = new DataSet();
using (OdbcConnection cn =
new OdbcConnection(ConfigurationManager.ConnectionStrings["ConnMySQL"].ConnectionString))
{
cn.Open();
using (OdbcCommand cmd = new OdbcCommand(sql, cn))
{
cmd.Parameters.AddWithValue("param1", Server.UrlDecode(str.ToString()));
OdbcDataAdapter adapter = new OdbcDataAdapter(cmd);
adapter.Fill(dsColors);
}
}
return dsColors;
第 3 步:
如果在查询中使用:
sql = @" SELECT * FROM Experience WHERE Colors IN (?); ";
dataset中的输出为空。
如果在查询中使用:
sql = @" SELECT * FROM Experience WHERE Colors IN ( '" + Server.UrlDecode(str.ToString()) + "' ); ";
dataset中的输出是正确的。
有人知道我该如何解决吗?
你能推荐一下吗?
你能帮帮我吗?
提前谢谢你。
您必须使用 MySql.Data.MySqlClient; 连接到 Mysql:
sql = @" SELECT * FROM Experience WHERE Colors IN (@param1,@param2) ";
DataSet dsColors = new DataSet();
using ( MySqlConnection cn =
new MySqlConnection(ConfigurationManager.ConnectionStrings["ConnMySQL"].ConnectionString))
{
cn.Open();
using (MySqlCommand cmd = new MySqlCommand(sql, cn))
{
cmd.Parameters.Add("@param1", colorList[0]/ToString());
cmd.Parameters.Add("@param2",colorList[1].ToString());
MySqlDataAdapter adapter = new MySqlaAdapter(cmd);
adapter.Fill(dsColors);
}
}
如果你不想为每种颜色添加一个参数,你可以选择
MySql.Data.MySqlClient.MySqlHelper.EscapeString()
这不是很漂亮,但它是内部参数使用的,您可以添加动态数量的值,并且可以安全地防止注入
while (reader.Read())
{
idcolor = reader["idcolor"].ToString();
colorList.Add(MySql.Data.MySqlClient.MySqlHelper.EscapeString(idcolor));
}
ns = string.Join("','", colorList.ToArray());
您看起来与上下文很接近,但尝试一次获取一种颜色的结果并不断更改参数的值。通过调用 FILL,它只会在每次调用时继续向 table 添加记录。但是,将您的 FILL 设置为指向 DataTable 而不是 DataSet。所以它不会一直将 TABLES 放入您的数据集中,而是使用一个继续附加到它的数据。如果您有 1 种颜色或 1000 种颜色,这将有效...
... rest of previous code BEFORE the OdbcCommand
... and ensure clean values for your colors as others have noted.
using (OdbcCommand cmd = new OdbcCommand(sql, cn))
{
// Just to add the parameter "place-holder" for your query
cmd.Parameters.AddWithValue("param1", "");
// DataTable ONCE to receive all the colors being queried
DataTable tblAllColors = new DataTable();
// build the adapter ONCE no matter how many colors you will be querying
OdbcDataAdapter adapter = new OdbcDataAdapter(cmd);
// so for this loop, you are just getting the colors one at a time.
foreach( string s in colorList )
{
// next color you are trying to get... just overwrite the
// single parameter with the new color.
adapter.SelectCommand.Parameters[0].Value = s;
adapter.Fill(tblAllColors);
}
// you would otherwise have to build your query dynamically and keep
// adding parameter-placeholders "?" for each color in a comma list
// as you were attempting... which would be a slightly different query.
}
dsColors.Tables.Add( tblAllColors );
您需要为 in 子句中的每个项目添加参数和占位符。例如
sql = @" SELECT * FROM Experience WHERE Colors IN (?,?,?); ";
然后为每一个添加参数。
cmd.Parameters.AddWithValue("param1", Server.UrlDecode(str.ToString()));
例子
List<string> colours = new List<string>();
colours.Add("black");
colours.Add("red");
var placeHolders = string.Join(",",(from colour in colours select "?").ToList());
var sql = @String.Format(" SELECT * FROM Experience WHERE Colors IN ({0}); ",placeHolders);
DataSet dsColors = new DataSet();
using (OdbcConnection cn = new OdbcConnection(ConnectionString))
{
cn.Open();
using (OdbcCommand cmd = new OdbcCommand(sql, cn))
{
foreach(var colour in colours)
{
cmd.Parameters.AddWithValue(colour, colour);
}
OdbcDataAdapter adapter = new OdbcDataAdapter(cmd);
adapter.Fill(dsColors);
}
}