C# |在 SqlCommand 查询中使用参数
C# | Use parameter in SqlCommand query
我有这个 ASP.NET 核心项目,在我的 DAL 中,我从数据库中收集数据,但我希望用户能够键入类型字符(Karakter 是荷兰语中的字符)和 DAL应该使用 KarakterSoort = "Defensive" 从数据库中选择 2 个随机字符。
这是我 DAL 中的当前代码:
public IEnumerable<IKarakter> GetSortedKarakters()
{
using (SqlConnection connection = GetConnection())
{
connection.Open();
var command = new SqlCommand("SELECT TOP 2 * FROM Karakter WHERE KarakterSoort = 'Defensive' ORDER BY NEWID();", connection);
var reader = command.ExecuteReader();
var sortedKarakters = new List<IKarakter>();
while (reader.Read())
{
var karakter = new KarakterDTO
{
KarakterId = (int)reader["KarakterId"],
KarakterSoort = reader["KarakterSoort"]?.ToString(),
KarakterNaam = reader["KarakterNaam"]?.ToString()
};
sortedKarakters.Add(karakter);
}
return sortedKarakters;
}
}
这就是我认为应该朝着正确方向发展的解决方案:
public IEnumerable<IKarakter> GetSortedKarakters(string givenStringFromUser)
{
using (SqlConnection connection = GetConnection())
{
connection.Open();
var command = new SqlCommand("SELECT TOP 2 * FROM Karakter WHERE KarakterSoort = givenStringFromUser ORDER BY NEWID();", connection);
var reader = command.ExecuteReader();
var sortedKarakters = new List<IKarakter>();
while (reader.Read())
{
var karakter = new KarakterDTO
{
KarakterId = (int)reader["KarakterId"],
KarakterSoort = reader["KarakterSoort"]?.ToString(),
KarakterNaam = reader["KarakterNaam"]?.ToString()
};
sortedKarakters.Add(karakter);
}
return sortedKarakters;
}
}
我找不到如何完成这项工作,所以我想在这里问我的问题。
您必须向 sql 查询提供过滤值。另外,不要直接放在查询字符串中,而是使用 SqlCommand
参数。这将使您避免不必要的 sql 注入。
像这样的东西应该可以工作:
public IEnumerable<IKarakter> GetSortedKarakters(string givenStringFromUser)
{
using (SqlConnection connection = GetConnection())
{
connection.Open();
var command = new SqlCommand("SELECT TOP 2 * FROM Karakter WHERE KarakterSoort = @filterValue ORDER BY NEWID();", connection);
command.Parameters.Add("@filterValue", SqlDbType.VarChar).Value = givenStringFromUser;
var reader = command.ExecuteReader();
var sortedKarakters = new List<IKarakter>();
while (reader.Read())
{
var karakter = new KarakterDTO
{
KarakterId = (int)reader["KarakterId"],
KarakterSoort = reader["KarakterSoort"]?.ToString(),
KarakterNaam = reader["KarakterNaam"]?.ToString()
};
sortedKarakters.Add(karakter);
}
return sortedKarakters;
}
}
您需要添加一个SqlParameter
并设置它的值:
public IEnumerable<IKarakter> GetSortedKarakters(string givenStringFromUser)
{
using (SqlConnection connection = GetConnection())
{
var command = new SqlCommand("SELECT TOP 2 * FROM Karakter WHERE KarakterSoort = @UserInput ORDER BY NEWID();", connection);
command.Parameters.Add("@UserInput", SqlDbType.VarChar, 100).Value = givenStringFromUser;
connection.Open();
var reader = command.ExecuteReader();
var sortedKarakters = new List<IKarakter>();
while (reader.Read())
{
var karakter = new KarakterDTO
{
KarakterId = (int)reader["KarakterId"],
KarakterSoort = reader["KarakterSoort"]?.ToString(),
KarakterNaam = reader["KarakterNaam"]?.ToString()
};
sortedKarakters.Add(karakter);
}
connection.Close();
return sortedKarakters;
}
}
我有这个 ASP.NET 核心项目,在我的 DAL 中,我从数据库中收集数据,但我希望用户能够键入类型字符(Karakter 是荷兰语中的字符)和 DAL应该使用 KarakterSoort = "Defensive" 从数据库中选择 2 个随机字符。
这是我 DAL 中的当前代码:
public IEnumerable<IKarakter> GetSortedKarakters()
{
using (SqlConnection connection = GetConnection())
{
connection.Open();
var command = new SqlCommand("SELECT TOP 2 * FROM Karakter WHERE KarakterSoort = 'Defensive' ORDER BY NEWID();", connection);
var reader = command.ExecuteReader();
var sortedKarakters = new List<IKarakter>();
while (reader.Read())
{
var karakter = new KarakterDTO
{
KarakterId = (int)reader["KarakterId"],
KarakterSoort = reader["KarakterSoort"]?.ToString(),
KarakterNaam = reader["KarakterNaam"]?.ToString()
};
sortedKarakters.Add(karakter);
}
return sortedKarakters;
}
}
这就是我认为应该朝着正确方向发展的解决方案:
public IEnumerable<IKarakter> GetSortedKarakters(string givenStringFromUser)
{
using (SqlConnection connection = GetConnection())
{
connection.Open();
var command = new SqlCommand("SELECT TOP 2 * FROM Karakter WHERE KarakterSoort = givenStringFromUser ORDER BY NEWID();", connection);
var reader = command.ExecuteReader();
var sortedKarakters = new List<IKarakter>();
while (reader.Read())
{
var karakter = new KarakterDTO
{
KarakterId = (int)reader["KarakterId"],
KarakterSoort = reader["KarakterSoort"]?.ToString(),
KarakterNaam = reader["KarakterNaam"]?.ToString()
};
sortedKarakters.Add(karakter);
}
return sortedKarakters;
}
}
我找不到如何完成这项工作,所以我想在这里问我的问题。
您必须向 sql 查询提供过滤值。另外,不要直接放在查询字符串中,而是使用 SqlCommand
参数。这将使您避免不必要的 sql 注入。
像这样的东西应该可以工作:
public IEnumerable<IKarakter> GetSortedKarakters(string givenStringFromUser)
{
using (SqlConnection connection = GetConnection())
{
connection.Open();
var command = new SqlCommand("SELECT TOP 2 * FROM Karakter WHERE KarakterSoort = @filterValue ORDER BY NEWID();", connection);
command.Parameters.Add("@filterValue", SqlDbType.VarChar).Value = givenStringFromUser;
var reader = command.ExecuteReader();
var sortedKarakters = new List<IKarakter>();
while (reader.Read())
{
var karakter = new KarakterDTO
{
KarakterId = (int)reader["KarakterId"],
KarakterSoort = reader["KarakterSoort"]?.ToString(),
KarakterNaam = reader["KarakterNaam"]?.ToString()
};
sortedKarakters.Add(karakter);
}
return sortedKarakters;
}
}
您需要添加一个SqlParameter
并设置它的值:
public IEnumerable<IKarakter> GetSortedKarakters(string givenStringFromUser)
{
using (SqlConnection connection = GetConnection())
{
var command = new SqlCommand("SELECT TOP 2 * FROM Karakter WHERE KarakterSoort = @UserInput ORDER BY NEWID();", connection);
command.Parameters.Add("@UserInput", SqlDbType.VarChar, 100).Value = givenStringFromUser;
connection.Open();
var reader = command.ExecuteReader();
var sortedKarakters = new List<IKarakter>();
while (reader.Read())
{
var karakter = new KarakterDTO
{
KarakterId = (int)reader["KarakterId"],
KarakterSoort = reader["KarakterSoort"]?.ToString(),
KarakterNaam = reader["KarakterNaam"]?.ToString()
};
sortedKarakters.Add(karakter);
}
connection.Close();
return sortedKarakters;
}
}