MS SQL - 具有动态参数数量的参数化查询
MS SQL - Parameterized Query with Dynamic Number of Parameters
现在我正在使用以下代码在我的查询中生成 WHERE 子句。我有一个搜索列参数 (searchColumn) 加上我使用的选中列表框中的另一个参数。
如果没有选中任何项目,则根本没有 WHERE 子句。
是否可以将其放入参数化查询中?对于第二部分,很可能有类似 searchColumn NOT IN ( ... ) 的方式,其中 ... 是数组中的数据。虽然我不确定在什么都没有检查的情况下如何处理。
对此有任何想法或链接吗?
strWhereClause = "";
foreach (object objSelected in clbxFilter.CheckedItems)
{
string strSearch = clbxFilter.GetItemText(objSelected);
if (strWhereClause.Length == 0)
{
strWhereClause += "WHERE (" + searchColumn + " = '" + strSearch + "' "
+ "OR " + searchColumn + " = '" + strSearch + "') ";
}
else
{
strWhereClause += "OR (" searchColumn " = '" + strSearch + "' "
+ "OR " + searchColumn + " = '" + strSearch + "') ";
}
}
听起来您只是想使用 C# 动态构建参数化查询字符串。您的代码已完成一半 - 我在下面的示例构建了一个包含参数名称和参数值的字典,然后您可以使用它来创建 SqlParamters。我不能 100% 确定的一件事是 searchColumn 的来源——这是从用户输入生成的吗?这可能很危险,并且参数化需要使用一些动态 SQL 并且可能需要您进行一些验证。
strWhereClause = "";
Dictionary<string, string> sqlParams = new Dictionary<string, string>();
int i = 1;
string paramName= "@p" + i.ToString(); // first iteration: "@p1"
foreach (object objSelected in clbxFilter.CheckedItems)
{
string strSearch = clbxFilter.GetItemText(objSelected);
if (strWhereClause.Length == 0)
{
strWhereClause += "WHERE (thisyear." + strKB + " = @p1 OR " + searchColumn + " = @p1) ";
sqlParams.Add(paramName, strSearch);
i = 2;
}
else
{
paramName = "@p" + i.ToString(); // "@p2", "@p3", etc.
strWhereClause += "OR (" searchColumn " = " + paramName + " "OR " + searchColumn + " = " + paramName + ") ";
sqlParams.Add(paramName, strSearch);
i++;
}
}
然后,在参数化查询时,只需循环遍历字典即可。
if (sqlParams.Count != 0 && strWhereclause.Length != 0)
{
foreach(KeyValuePair<string, string> kvp in sqlParams)
{
command.Parameters.Add(new SqlParamter(kvp.Name, SqlDbType.VarChar) { Value = kvp.Value; });
}
}
仅供参考:
string strWhereClause;
string searchColumn;
string strKB;
SqlCommand cmd = new SqlCommand();
private void button1_Click(object sender, EventArgs e)
{
strWhereClause = "";
int ParmCount = 0;
foreach (object objSelected in clbxFilter.CheckedItems)
{
string strSearch = clbxFilter.GetItemText(objSelected);
ParmCount += 1;
string strParamName = "@Param" + ParmCount.ToString(); //Param1→ParamN
cmd.Parameters.Add(strParamName, SqlDbType.NVarChar);
cmd.Parameters[strParamName].Value = strSearch;
if (strWhereClause.Length == 0)
{
strWhereClause += "WHERE (thisyear." + strKB + " = " + strParamName + " "
+ "OR " + searchColumn + " = " + strParamName + ") ";
}
else
{
strWhereClause += "OR (thisyear." + strKB + " = " + strParamName + " "
+ "OR " + searchColumn + " = " + strParamName + ") ";
}
}
}
现在我正在使用以下代码在我的查询中生成 WHERE 子句。我有一个搜索列参数 (searchColumn) 加上我使用的选中列表框中的另一个参数。
如果没有选中任何项目,则根本没有 WHERE 子句。
是否可以将其放入参数化查询中?对于第二部分,很可能有类似 searchColumn NOT IN ( ... ) 的方式,其中 ... 是数组中的数据。虽然我不确定在什么都没有检查的情况下如何处理。
对此有任何想法或链接吗?
strWhereClause = "";
foreach (object objSelected in clbxFilter.CheckedItems)
{
string strSearch = clbxFilter.GetItemText(objSelected);
if (strWhereClause.Length == 0)
{
strWhereClause += "WHERE (" + searchColumn + " = '" + strSearch + "' "
+ "OR " + searchColumn + " = '" + strSearch + "') ";
}
else
{
strWhereClause += "OR (" searchColumn " = '" + strSearch + "' "
+ "OR " + searchColumn + " = '" + strSearch + "') ";
}
}
听起来您只是想使用 C# 动态构建参数化查询字符串。您的代码已完成一半 - 我在下面的示例构建了一个包含参数名称和参数值的字典,然后您可以使用它来创建 SqlParamters。我不能 100% 确定的一件事是 searchColumn 的来源——这是从用户输入生成的吗?这可能很危险,并且参数化需要使用一些动态 SQL 并且可能需要您进行一些验证。
strWhereClause = "";
Dictionary<string, string> sqlParams = new Dictionary<string, string>();
int i = 1;
string paramName= "@p" + i.ToString(); // first iteration: "@p1"
foreach (object objSelected in clbxFilter.CheckedItems)
{
string strSearch = clbxFilter.GetItemText(objSelected);
if (strWhereClause.Length == 0)
{
strWhereClause += "WHERE (thisyear." + strKB + " = @p1 OR " + searchColumn + " = @p1) ";
sqlParams.Add(paramName, strSearch);
i = 2;
}
else
{
paramName = "@p" + i.ToString(); // "@p2", "@p3", etc.
strWhereClause += "OR (" searchColumn " = " + paramName + " "OR " + searchColumn + " = " + paramName + ") ";
sqlParams.Add(paramName, strSearch);
i++;
}
}
然后,在参数化查询时,只需循环遍历字典即可。
if (sqlParams.Count != 0 && strWhereclause.Length != 0)
{
foreach(KeyValuePair<string, string> kvp in sqlParams)
{
command.Parameters.Add(new SqlParamter(kvp.Name, SqlDbType.VarChar) { Value = kvp.Value; });
}
}
仅供参考:
string strWhereClause;
string searchColumn;
string strKB;
SqlCommand cmd = new SqlCommand();
private void button1_Click(object sender, EventArgs e)
{
strWhereClause = "";
int ParmCount = 0;
foreach (object objSelected in clbxFilter.CheckedItems)
{
string strSearch = clbxFilter.GetItemText(objSelected);
ParmCount += 1;
string strParamName = "@Param" + ParmCount.ToString(); //Param1→ParamN
cmd.Parameters.Add(strParamName, SqlDbType.NVarChar);
cmd.Parameters[strParamName].Value = strSearch;
if (strWhereClause.Length == 0)
{
strWhereClause += "WHERE (thisyear." + strKB + " = " + strParamName + " "
+ "OR " + searchColumn + " = " + strParamName + ") ";
}
else
{
strWhereClause += "OR (thisyear." + strKB + " = " + strParamName + " "
+ "OR " + searchColumn + " = " + strParamName + ") ";
}
}
}