我们希望对您提出这些建议
Public Function MyMethod (ByVal CustomDataTable As DataTable ) As String
columnQueryBuilder As new Stringbuilber
totalQueryBuilder As new Stringbuilber
Paramertrs as List (MyDBParameters)
Parameters.Add(MyDBObject.CreateParamter("MyColumn1"),"SomeString" )
For Each EachRow As DataRow In CustomDataTable.DefaultView.ToTable.Rows
If columnQueryBuilder .Length > 0 Then
sb.Append(", ")
End If
columnQueryBuilder .Append("'")
columnQueryBuilder .Append(EachRow ("MyColumn").ToString)
columnQueryBuilder .Append("'")
Next
totalQueryBuilder = ("Select MyColumn3 from Mytable where MyColumn1=@MyColumn1 AND MyColumn2 in ({0}) " , columnQueryBuilder.ToString )
OutputString = MyDbHelper.ExecuteQuery(totalQueryBuilder.ToString ,Parameters.ToArray() )
Return outputString
End Function
正如您所看到的,获取一列输入数据表,从该列获取所有值并在其中创建查询
columnbuilderQuery = 'MyColumnValue1','MyColumnValue2'
然后我把它放在查询中
如何删除此字符串构建器逻辑并将其置于参数化方式,以便删除sql注入的漏洞?