MS SQL - 具有动态参数数量的参数化查询

时间:2015-04-09 12:31:34

标签: sql sql-server parameterized-query

现在我使用以下代码在我的查询中生成WHERE子句。我有一个搜索列的参数(searchColumn)加上我使用的已检查列表框中的另一个参数。

如果没有选中任何项目,则根本没有WHERE子句。

是否可以将其置于参数化查询中?对于第二部分,很可能是像searchColumn NOT IN(...)这样的方式,其中......是来自数组的数据。虽然我什么都没检查,但我不确定如何处理这个案子。

有关于此的任何想法或链接吗?

strWhereClause = "";
foreach (object objSelected in clbxFilter.CheckedItems)
{
     string strSearch = clbxFilter.GetItemText(objSelected);

     if (strWhereClause.Length == 0)
     {
         strWhereClause += "WHERE (" + searchColumn + " = '" + strSearch + "' "
         + "OR " + searchColumn + " = '" + strSearch + "') ";
     }
     else
     {
     strWhereClause += "OR (" searchColumn " = '" + strSearch + "' "
                                           + "OR " + searchColumn + " = '" + strSearch + "') ";
     }
}

2 个答案:

答案 0 :(得分:2)

听起来您只是尝试使用C#动态构建参数化查询字符串。你的代码就在那里 - 我的下面的例子构建了一个带有参数名称和参数值的字典,然后你可以用它来创建SqlParamter。我不能100%确定的一件事是searchColumn来自哪里 - 这是从用户输入产生的吗?这可能是危险的,并且参数化需要使用一些动态SQL,并且可能需要您进行一些验证。

strWhereClause = "";
Dictionary<string, string> sqlParams = new Dictionary<string, string>();
int i = 1;
string paramName= "@p" + i.ToString(); // first iteration: "@p1"
foreach (object objSelected in clbxFilter.CheckedItems)
{
     string strSearch = clbxFilter.GetItemText(objSelected);

     if (strWhereClause.Length == 0)
     {
         strWhereClause += "WHERE (thisyear." + strKB + " = @p1 OR " + searchColumn + " = @p1) ";
         sqlParams.Add(paramName, strSearch);
         i = 2;
     }
     else
     {
         paramName = "@p" + i.ToString(); // "@p2", "@p3", etc.
         strWhereClause += "OR (" searchColumn " = " + paramName + " "OR " + searchColumn + " = " + paramName + ") ";
        sqlParams.Add(paramName, strSearch);
        i++;
     }
}

然后,在参数化查询时,只需循环遍历字典。

if (sqlParams.Count != 0 && strWhereclause.Length != 0)
{
  foreach(KeyValuePair<string, string> kvp in sqlParams)
  {
    command.Parameters.Add(new SqlParamter(kvp.Name, SqlDbType.VarChar) { Value = kvp.Value; });
  }
}

答案 1 :(得分:0)

仅供参考:

    string strWhereClause;
    string searchColumn;
    string strKB;
    SqlCommand cmd = new SqlCommand();
    private void button1_Click(object sender, EventArgs e)
    {
        strWhereClause = "";
        int ParmCount = 0;         
        foreach (object objSelected in clbxFilter.CheckedItems)
        {
            string strSearch = clbxFilter.GetItemText(objSelected);
            ParmCount += 1;
            string strParamName = "@Param" + ParmCount.ToString(); //Param1→ParamN
            cmd.Parameters.Add(strParamName, SqlDbType.NVarChar);
            cmd.Parameters[strParamName].Value = strSearch;
            if (strWhereClause.Length == 0)
            {
                strWhereClause += "WHERE (thisyear." + strKB + " = " + strParamName + " "
                               + "OR " + searchColumn + " = " + strParamName + ") ";
            }
            else
            {
                strWhereClause += "OR (thisyear." + strKB + " = " + strParamName + " "
                               + "OR " + searchColumn + " = " + strParamName + ") ";
            }
        }
    }
相关问题
最新问题