我知道要阻止SQL注入,你会使用像@param1和@param2这样的参数 - 但是当你需要多次传递相同的参数时,你会如何实现?
现在,params将从winform上的两个文本框传入。但又是我的? C#如何处理将params传递到sql字符串中的2个不同位置?
;WITH CTE AS
(
Select
RTRIM(LTRIM(employeename)) As employeename
,psrti
,nes
FROM helper1
)
Select
[Employee Name] = RTRIM(LTRIM(cte.employeename))
,[days employed] = (Select COUNT([days])
FROM [empinfo] jb
WHERE CAST([hiredate] As Date) BETWEEN @startdate AND @enddate
AND RTRIM(LTRIM(jb.employeename)) = RTRIM(LTRIM(cte.employeename)))
,[terminated emps] = (Select Count(empID) from terminate where termination date between @startdate AND @enddate)
FROM hrfile hr1
RIGHT JOIN CTE cte
ON hr1.employeename = cte.employeename
GROUP BY RTRIM(LTRIM(cte.employeename)),RTRIM(LTRIM(hr1.employeename)),cte.nes
ORDER BY RTRIM(LTRIM(cte.employeename)) ASC
我知道我会做的第一组参数
string sql = "";;
using (SqlConnection connection = new SqlConnection(/* connection info */))
using (SqlCommand command = new SqlCommand(sql, connection))
{
var param1 = new SqlParameter("param1", SqlDbType.DateTime);
var param2 = new SqlParameter("param2", SqlDbType.DateTime);
param1.Value = txtOne.Text;
param2.Value = txtTwo.Text;
command.Parameters.Add(param1);
command.Parameters.Add(param2);
var results = command.ExecuteReader();
}
答案 0 :(得分:0)
即使参数多次使用,您也会这样做(仅设置一次参数值)。 C#/ ADO.NET将负责在多个位置使用指定的值替换参数。