修复 SQL 参数化
Fixing SQL Parameterization
我在更新一些 SQL 查询以使用参数而不是字符串连接时遇到了一些问题。没什么特别难的,我只是想弄清楚我遗漏了什么或做错了什么。
最终查询应该类似于
SELECT [DeviceSeq], [DeviceName], [SerialNumber], [Premise], [InsertDate], [VersionNumber], [LastUpdateDate], [IsDeleted] FROM [ITAM].[dbo].[AllDevices] WHERE DeviceName LIKE '%InputFilter%' OR SerialNumber = 'InputFilter'
以前我是这样做的,returns 是我期望的结果。
command.CommandText = "SELECT [DeviceSeq], [DeviceName], [SerialNumber], [Premise], [InsertDate], [VersionNumber], [LastUpdateDate], [IsDeleted] FROM [ITAM].[dbo].[AllDevices] WHERE DeviceName LIKE '%@" + filter + "%' OR SerialNumber = '" + filter + "'";
但我想做的是这个。但是,每次我尝试以这种方式(参数化)进行操作时,它都会 returns 0 结果或错误,具体取决于我尝试格式化它的方式。
List<dynamic> hosts = new List<dynamic>();
using (SqlCommand command = conn.CreateCommand())
{
command.CommandText = "SELECT [DeviceSeq], [DeviceName], [SerialNumber], [Premise], [InsertDate], [VersionNumber], [LastUpdateDate], [IsDeleted] FROM [ITAM].[dbo].[AllDevices] WHERE DeviceName LIKE '%@filter%' OR SerialNumber = '@filter'";
var param = new SqlParameter("filter", System.Data.SqlDbType.VarChar);
param.Value = filter;
command.Parameters.Add(param);
using (var reader = command.ExecuteReader())
{
while (reader.Read())
{
dynamic h = new ITAMHost()
{
DeviceSeq = reader[0].ToString(),
DeviceName = reader[1].ToString(),
SerialNumber = reader[2].ToString(),
Premise = reader[3].ToString(),
InsertDate = reader[4].ToString(),
VersionNumber = reader[5].ToString(),
LastUpdateDate = reader[6].ToString(),
IsDeleted = reader[7].ToString(),
};
hosts.Add(h);
}
}
}
您好,尝试像这样更改您的代码:
List<dynamic> hosts = new List<dynamic>();
using (SqlCommand command = conn.CreateCommand())
{
command.CommandText = "SELECT [DeviceSeq], [DeviceName], [SerialNumber], [Premise], [InsertDate], [VersionNumber], [LastUpdateDate], [IsDeleted] FROM [ITAM].[dbo].[AllDevices] WHERE DeviceName LIKE @filter OR SerialNumber = @filter";
var param = new SqlParameter("filter", System.Data.SqlDbType.VarChar);
param.Value = "%YOUR_FILTER_VALUE%";
command.Parameters.Add(param);
using (var reader = command.ExecuteReader())
{
while (reader.Read())
{
dynamic h = new ITAMHost()
{
DeviceSeq = reader[0].ToString(),
DeviceName = reader[1].ToString(),
SerialNumber = reader[2].ToString(),
Premise = reader[3].ToString(),
InsertDate = reader[4].ToString(),
VersionNumber = reader[5].ToString(),
LastUpdateDate = reader[6].ToString(),
IsDeleted = reader[7].ToString(),
};
hosts.Add(h);
}
}
}
我在更新一些 SQL 查询以使用参数而不是字符串连接时遇到了一些问题。没什么特别难的,我只是想弄清楚我遗漏了什么或做错了什么。
最终查询应该类似于
SELECT [DeviceSeq], [DeviceName], [SerialNumber], [Premise], [InsertDate], [VersionNumber], [LastUpdateDate], [IsDeleted] FROM [ITAM].[dbo].[AllDevices] WHERE DeviceName LIKE '%InputFilter%' OR SerialNumber = 'InputFilter'
以前我是这样做的,returns 是我期望的结果。
command.CommandText = "SELECT [DeviceSeq], [DeviceName], [SerialNumber], [Premise], [InsertDate], [VersionNumber], [LastUpdateDate], [IsDeleted] FROM [ITAM].[dbo].[AllDevices] WHERE DeviceName LIKE '%@" + filter + "%' OR SerialNumber = '" + filter + "'";
但我想做的是这个。但是,每次我尝试以这种方式(参数化)进行操作时,它都会 returns 0 结果或错误,具体取决于我尝试格式化它的方式。
List<dynamic> hosts = new List<dynamic>();
using (SqlCommand command = conn.CreateCommand())
{
command.CommandText = "SELECT [DeviceSeq], [DeviceName], [SerialNumber], [Premise], [InsertDate], [VersionNumber], [LastUpdateDate], [IsDeleted] FROM [ITAM].[dbo].[AllDevices] WHERE DeviceName LIKE '%@filter%' OR SerialNumber = '@filter'";
var param = new SqlParameter("filter", System.Data.SqlDbType.VarChar);
param.Value = filter;
command.Parameters.Add(param);
using (var reader = command.ExecuteReader())
{
while (reader.Read())
{
dynamic h = new ITAMHost()
{
DeviceSeq = reader[0].ToString(),
DeviceName = reader[1].ToString(),
SerialNumber = reader[2].ToString(),
Premise = reader[3].ToString(),
InsertDate = reader[4].ToString(),
VersionNumber = reader[5].ToString(),
LastUpdateDate = reader[6].ToString(),
IsDeleted = reader[7].ToString(),
};
hosts.Add(h);
}
}
}
您好,尝试像这样更改您的代码:
List<dynamic> hosts = new List<dynamic>();
using (SqlCommand command = conn.CreateCommand())
{
command.CommandText = "SELECT [DeviceSeq], [DeviceName], [SerialNumber], [Premise], [InsertDate], [VersionNumber], [LastUpdateDate], [IsDeleted] FROM [ITAM].[dbo].[AllDevices] WHERE DeviceName LIKE @filter OR SerialNumber = @filter";
var param = new SqlParameter("filter", System.Data.SqlDbType.VarChar);
param.Value = "%YOUR_FILTER_VALUE%";
command.Parameters.Add(param);
using (var reader = command.ExecuteReader())
{
while (reader.Read())
{
dynamic h = new ITAMHost()
{
DeviceSeq = reader[0].ToString(),
DeviceName = reader[1].ToString(),
SerialNumber = reader[2].ToString(),
Premise = reader[3].ToString(),
InsertDate = reader[4].ToString(),
VersionNumber = reader[5].ToString(),
LastUpdateDate = reader[6].ToString(),
IsDeleted = reader[7].ToString(),
};
hosts.Add(h);
}
}
}