我正在尝试根据在表单中输入/选择的值来更改SQL查询。
这是代码。
var var_db = Database.Open("Intranet");
var var_ticketID = "";
var var_department = "";
var var_ticketType = "";
var var_priority = "";
var var_ticketStatus = "";
var var_userAssigned = "";
var var_selectStatement = "SELECT Ticket_ID AS [Ticket], Logged_Date AS [Created], Ticket_Type AS [Ticket Type], Department, Priority, Forename, Surname, Ticket_Status AS [Status], Completed_Date AS [Completed], User_Assigned AS [User], Ticket_Subject AS [Subject] FROM Ticket_Data";
List<string> whereConditions = new List<string>();
if(!Request.QueryString["TicketNumber"].IsEmpty() ) {
var_ticketID = Request.QueryString["TicketNumber"];
whereConditions.Add("Ticket_ID = " + var_ticketID);
}
if(!Request.QueryString["Department"].IsEmpty() ) {
var_department = Request.QueryString["Department"];
whereConditions.Add("Department = " + var_department);
}
if(!Request.QueryString["TicketType"].IsEmpty() ) {
var_ticketType = Request.QueryString["TicketType"];
whereConditions.Add("Ticket_Type = " + var_ticketType);
}
if(!Request.QueryString["Priority"].IsEmpty() ) {
var_priority = Request.QueryString["Priority"];
whereConditions.Add("Priority = " + var_priority);
}
if(!Request.QueryString["Status"].IsEmpty() ) {
var_ticketStatus = Request.QueryString["Status"];
whereConditions.Add("Ticket_Status = " + var_ticketStatus);
}
if(!Request.QueryString["UserAssigned"].IsEmpty() ) {
var_userAssigned = Request.QueryString["UserAssigned"];
whereConditions.Add("User_Assigned = " + var_userAssigned);
}
var var_selectCommand = var_selectStatement + " WHERE " + string.Join(" AND ", whereConditions) + " ORDER BY LoggedDate DESC";
var var_selectedData = var_db.Query(var_selectCommand);
var var_grid = new WebGrid(source: var_selectedData, defaultSort: "Status", rowsPerPage:10);
这是标记。
<div id="header"><h2>Tickets</h2></div>
<div id="content">
<form method="get">
<table>
<tr><td>Ticket Number</td><td><input type="text" class="field" id="ticket_number" name="TicketNumber" ></td></tr>
<tr><td>Department</td><td>
<select class="field" id="department" name="Department" onchange="myFunction()" >
<option value="">Please choose...</option>
<option value="Department1">Department1</option>
<option value="Department2">Department2</option>
<option value="Department3">Department3</option>
<option value="Department4">Department4</option>
<option value="Department5">Department5</option>
<option value="Department6">Department6</option>
</select></td></tr>
<tr><td>Ticket Type</td><td>
<select class="field" id="ticket_type" name="TicketType" onchange="myFunction()" >
<option value="">Please choose...</option>
<option value="Change Request">Change Request</option>
<option value="Fault">Fault</option>
</select></td></tr>
<tr><td>Priority</td><td>
<select class="field" id="priority" name="Priority" onchange="myFunction()" >
<option value="">Please choose...</option>
<option value="Low">Low</option>
<option value="Medium">Medium</option>
<option value="High">High</option>
</select></td></tr>
<tr><td>Status</td><td>
<select class="field" id="status" name="Status" onchange="myFunction()" >
<option value="">Please choose...</option>
<option value="Open">Open Tickets</option>
<option value="Closed">Closed Tickets</option>
<option value="%">All Tickets</option>
</select></td></tr>
<tr><td>User Assigned</td><td>
<select class="field" id="user_assigned" name="UserAssigned" onchange="myFunction()" >
<option value="">Please choose...</option>
<option value="User1">User1</option>
<option value="User2">User2</option>
<option value="User3">User3</option>
<option value="User4">User4</option>
<option value="%">All Users</option>
<option value="Unassigned">Unassigned</option>
</select></td></tr>
</table>
<p><input type="submit" value="Search" ></p>
</form>
<div>
@var_grid.GetHtml(
tableStyle: "grid",
headerStyle: "head",
columns: var_grid.Columns(
var_grid.Column("Ticket", format: @<a href="~/ticket_details?id=@item.Ticket">@item.Ticket</a>),
var_grid.Column("Created"),
var_grid.Column("Ticket Type"),
var_grid.Column("Priority"),
var_grid.Column("Subject"),
var_grid.Column("Department"),
var_grid.Column("Status"),
var_grid.Column("Completed"),
var_grid.Column("User")
)
)
</div>
不幸的是它不起作用。任何人都可以帮我这个吗?
答案 0 :(得分:1)
在代码中构建where子句可以打开你的SQL注入攻击。我将切换到存储过程并检查参数是否为null。
CREATE PROC dbo.SomeProcName
@param1 int = null,
@param2 varchar(20) = null
AS
SELECT * FROM someTable
WHERE
(@param1 = NULL OR column1 = @param1) AND
(@param2 = NULL OR column2 = @param2)
这将是一条更安全的道路,而且代码更少