我试图在我的查询中使用sql参数来避免sql注入,但参数似乎不适用于该命令。
public static IList<Call> GetCallsFilter(string startdate, string enddate,List<String>ContextName, List<String>ValueName, List<String>TypeName)
{
using (SqlConnection connection = new SqlConnection(ConfigurationManager.ConnectionStrings["BAMConnectionString"].ConnectionString))
{
connection.Open();
startdate += " 00:00:00";
enddate += " 23:59:59";
using (SqlCommand cmd = new SqlCommand("", connection))
{
cmd.CommandText = "SELECT dbo.Calls.CallID, dbo.Connections.Connectionname,dbo.Calls.ConnectionID, dbo.Calls.ParentID, dbo.Calls.StartTime, dbo.Calls.EndTime, REPLACE(dbo.Calls.Querytime, ',', '.') AS Querytijd, dbo.Calls.Template, dbo.Calls.Profilecall, dbo.Calls.Objectcall, dbo.Calls.Method, dbo.Calls.Error, dbo.Calls.Category, dbo.Calls.Uur, dbo.Calls.DayOfMonth, dbo.Repositorys.RepositoryName,dbo.Calls.ResultLink, REPLACE(MAX(Querytime) OVER (PARTITION BY DATEPART(yyyy, dbo.Calls.StartTime), DATEPART(M, dbo.Calls.StartTime), dbo.Calls.DayOfMonth, dbo.Calls.Uur, DATEPART(MINUTE, dbo.Calls.StartTime)), ',', '.') AS MaxQueryTime FROM dbo.Calls INNER JOIN dbo.Connections ON dbo.Calls.ConnectionID = dbo.Connections.ConnectionID INNER JOIN dbo.Repositorys ON dbo.Connections.RepositoryID = dbo.Repositorys.RepositoryID where StartTime BETWEEN '" + startdate + "' AND '" + enddate + "'";
if (ContextName != null && ValueName != null)
{
for (int i = 0; i < ContextName.Count; i++)
{
if (ContextName[i].ToString() != "Filter")
{
if (TypeName[i].ToString() == "LIKE")
{
cmd.CommandText += " AND exists (Select * from dbo.Context where CallID = dbo.Calls.CallID and Name=@Name and Value like @Value)";
cmd.Parameters.Add(new SqlParameter("Name", ContextName[i].ToString()));
cmd.Parameters.Add(new SqlParameter("Value", ValueName[i].ToString()));
}
else if (TypeName[i].ToString() == "=")
{
cmd.CommandText += " AND exists (Select * from dbo.Context where CallID = dbo.Calls.CallID and Name='" + Regex.Escape(ContextName[i].ToString()) + "' and Value = '" + Regex.Escape(ValueName[i].ToString()) + "')";
}
else if (TypeName[i].ToString() == "NOT LIKE")
{
cmd.CommandText += " AND exists (Select * from dbo.Context where CallID = dbo.Calls.CallID and Name='" + Regex.Escape(ContextName[i].ToString()) + "' and Value NOT like '%" + Regex.Escape(ValueName[i].ToString()) + "%')";
}
}
}
}
using (SqlDataAdapter adapter = new SqlDataAdapter(cmd))
{
CallData = new List<Call>();
DataTable table = new DataTable();
adapter.Fill(table);
foreach (DataRow rij in table.Rows)
{
CallData.Add(new Call() { CallID = Int64.Parse(rij[0].ToString()), Connectionname = rij[1].ToString(), ConnectionID = rij[2].ToString(), ParentID = rij[3].ToString(), StartTime = ((DateTime)rij[4]).ToString("d/MM/yyyy hh:mm:ss.fff"), EndTime = ((DateTime)rij[5]).ToString("d/MM/yyyy hh:mm:ss.fff"), Querytime = rij[6].ToString(), Template = rij[7].ToString(), Profile = rij[8].ToString(), Object = rij[9].ToString(), Method = rij[10].ToString(), Error = rij[11].ToString(), Category = rij[12].ToString(), Uur = rij[13].ToString(), DayOfMonth = rij[14].ToString(), Repository = rij[15].ToString(), Datum = rij[4].ToString(), ResultLink = rij[16].ToString(), MaxQuerytime = rij[17].ToString() });
}
}
}
}
return CallData;
}
我目前只是在IF LIKE函数中尝试它,但不会工作atm。
答案 0 :(得分:0)
public static IList<Call> GetCallsFilter(string startdate, string enddate,List<String>ContextName, List<String>ValueName, List<String>TypeName)
{
using (SqlConnection connection = new SqlConnection(ConfigurationManager.ConnectionStrings["BAMConnectionString"].ConnectionString))
{
connection.Open();
startdate += " 00:00:00";
enddate += " 23:59:59";
using (SqlCommand cmd = new SqlCommand("", connection))
{
cmd.CommandText = "SELECT ";
cmd.CommandText += " dbo.Calls.CallID, ";
cmd.CommandText += " dbo.Connections.Connectionname, ";
cmd.CommandText += " dbo.Calls.ConnectionID, ";
cmd.CommandText += " dbo.Calls.ParentID, ";
cmd.CommandText += " dbo.Calls.StartTime, ";
cmd.CommandText += " dbo.Calls.EndTime, ";
cmd.CommandText += " REPLACE(dbo.Calls.Querytime, ',', '.') ";
cmd.CommandText += " AS ";
cmd.CommandText += " Querytijd, ";
cmd.CommandText += " dbo.Calls.Template, ";
cmd.CommandText += " dbo.Calls.Profilecall, ";
cmd.CommandText += " dbo.Calls.Objectcall, ";
cmd.CommandText += " dbo.Calls.Method, ";
cmd.CommandText += " dbo.Calls.Error, ";
cmd.CommandText += " dbo.Calls.Category, ";
cmd.CommandText += " dbo.Calls.Uur, ";
cmd.CommandText += " dbo.Calls.DayOfMonth, ";
cmd.CommandText += " dbo.Repositorys.RepositoryName, ";
cmd.CommandText += " dbo.Calls.ResultLink, ";
cmd.CommandText += " REPLACE(MAX(Querytime) OVER (PARTITION BY DATEPART(yyyy, dbo.Calls.StartTime), ";
cmd.CommandText += " DATEPART(M, dbo.Calls.StartTime), ";
cmd.CommandText += " dbo.Calls.DayOfMonth, ";
cmd.CommandText += " dbo.Calls.Uur, ";
cmd.CommandText += " DATEPART(MINUTE, dbo.Calls.StartTime)), ',', '.') ";
cmd.CommandText += " AS MaxQueryTime FROM dbo.Calls ";
cmd.CommandText += " INNER JOIN dbo.Connections ON ";
cmd.CommandText += " dbo.Calls.ConnectionID = dbo.Connections.ConnectionID ";
cmd.CommandText += " INNER JOIN dbo.Repositorys ON dbo.Connections.RepositoryID = dbo.Repositorys.RepositoryID ";
cmd.CommandText += " where StartTime BETWEEN @stardate AND @enddate ";
if (ContextName != null && ValueName != null)
{
for (int i = 0; i < ContextName.Count; i++)
{
if (ContextName[i].ToString() != "Filter")
{
cmd.CommandText += " AND exists ";
cmd.CommandText += "(Select * from dbo.Context ";
cmd.CommandText += " where CallID = dbo.Calls.CallID and Name=@Name and Value ";
cmd.CommandText += TypeName[i].ToString();
cmd.CommandText += " @Value)";
cmd.Parameters.AddWithValue("@Context", ContextName[i].ToString());
cmd.Parameters.AddWithValue("@Value", ValueName[i].ToString());
}
}
}
cmd.Parameters.AddWithValue("@startdate", startdate);
cmd.Parameters.AddWithValue("@enddate", enddate);
using (SqlDataAdapter adapter = new SqlDataAdapter(cmd))
{
CallData = new List<Call>();
DataTable table = new DataTable();
adapter.Fill(table);
foreach (DataRow rij in table.Rows)
{
CallData.Add(new Call() { CallID = Int64.Parse(rij[0].ToString()), Connectionname = rij[1].ToString(), ConnectionID = rij[2].ToString(), ParentID = rij[3].ToString(), StartTime = ((DateTime)rij[4]).ToString("d/MM/yyyy hh:mm:ss.fff"), EndTime = ((DateTime)rij[5]).ToString("d/MM/yyyy hh:mm:ss.fff"), Querytime = rij[6].ToString(), Template = rij[7].ToString(), Profile = rij[8].ToString(), Object = rij[9].ToString(), Method = rij[10].ToString(), Error = rij[11].ToString(), Category = rij[12].ToString(), Uur = rij[13].ToString(), DayOfMonth = rij[14].ToString(), Repository = rij[15].ToString(), Datum = rij[4].ToString(), ResultLink = rij[16].ToString(), MaxQuerytime = rij[17].ToString() });
}
}
}
}
return CallData;
}
答案 1 :(得分:0)
您必须在参数名称中添加“@”。
new SqlParameter("@Name", ContextName[i].ToString())
new SqlParameter("@Value", ValueName[i].ToString())
答案 2 :(得分:0)
尝试使用此
cmd.Parameters.AddWithValue("@Name", ContextName[i].ToString());
cmd.Parameters.AddWithValue("@Value", ValueName[i].ToString());