这是我的
String tempStr = "'''" + shain.searchAffiliation + "'''";
如果我使用
String affSetStr = " SET @Affiliation = " + tempStr + " ;"; "
然后传递给queryStr,查询将毫无问题地运行。但是这个查询会有sql注入攻击。
现在我将tempStr变量传递给
SqlParameter shainParameterSearchName = new SqlParameter("@searchAffiliation", tempStr);
然后我的查询返回一个空列表。将tempStr传递给SqlParameter("@searchAffiliation", tempStr);的正确方法是什么?
String tempStr = "'''" + shain.searchAffiliation + "'''";
SqlParameter shainParameterSearchName = new SqlParameter("@searchAffiliation", tempStr);
shainParamsObj.Add(shainParameterSearchName);
affSetStr = " SET @Affiliation = " + tempStr + " ;";
String queryStr = " " +
"DECLARE @Name VARCHAR(50);" +
"DECLARE @Affiliation VARCHAR(50); " +
searchSetStr +
affSetStr +
"DECLARE @AgeStr INT;" +
"DECLARE @AgeEd INT;" +
"SET @AgeStr = @ageStart;" +
"SET @AgeEd = @ageEnd; " +
"DECLARE @fromIdx INT;" +
"DECLARE @toIdx INT; " +
"SET @fromIdx = @fromIndex; " +
"SET @toIdx = @toIndex; " +
"declare @sqll nvarchar(max) = '" +
"SELECT" +
" * " +
" FROM" +
" ( SELECT" +
" ROW_NUMBER() OVER ( " +
" ORDER BY " + orderStr +
" ) AS RowNum, " +
" S1.INCODE id , " +
" DATEDIFF(DAY,S1.KOM005,GETDATE()) age, " +
" CASE " +
" WHEN DATEDIFF(DAY,S1.KOM035,S1.KOM027) < 0 " +
" THEN DATEDIFF(DAY, S1.KOM035, GETDATE()) " +
" ELSE DATEDIFF(DAY, S1.KOM035, S1.KOM027) " +
" END AS lenghtOfService , " +
" S1.KOM001 employeeCode , " +
" S1.KOM005 dbo , " +
" ISNULL(S1.KOM004,0) gender , " +
" S1.KOM035 enterDate , " +
" S1.KOM027 retireDate , " +
" S2.KOM506 postion , " +
" S2.KOM002 name , " +
" S2.KOM003 furigana , " +
" S2.KOM021 phone , " +
" S2.KOM527 email, " +
" S2.KOM512 postCode , " +
" S2.KOM509 contactPerson ," +
" S2.KOM513 address1 , " +
" S2.KOM514 address2," +
" S2.KOM515 tel1, " +
" S2.KOM507 affiliation, " +
" S2.KOM516 tel2, " +
" ISNULL( '+ dbo.CheckIfColumnExist( 'dbo','RIREKI13','R.KOM001', 'CAST(0 as FLOAT)' ) + ' ,0) CP , " +
" ISNULL( '+ dbo.CheckIfColumnExist( 'dbo','RIREKI13','R.KOM002', 'CAST(0 as FLOAT)' ) + ' ,0) NP, " +
" ISNULL( '+ dbo.CheckIfColumnExist( 'dbo','RIREKI13','R.KOM003', 'CAST(0 as FLOAT)' ) + ' ,0) A, " +
" ISNULL( '+ dbo.CheckIfColumnExist( 'dbo','RIREKI13','R.KOM004', 'CAST(0 as FLOAT)' ) + ' ,0) FC, " +
" ISNULL( '+ dbo.CheckIfColumnExist( 'dbo','RIREKI13','R.KOM005', 'CAST(0 as FLOAT)' ) + ' ,0) AC " +
" FROM " +
" dbo.SHAIN1 as S1 " +
" join " +
" dbo.SHAIN2 as S2 " +
" on S1.INCODE = S2.SHAIN " +
" FULL join " +
" RIREKI13 as R " +
" on R.INCODE = S2.SHAIN " +
ifCase +
" ) AS RowConstrainedResult " +
" " +
" WHERE RowNum >= " +
" ' + CONVERT(VARCHAR(12), @fromIdx) + ' " +
" AND RowNum < " +
" ' + CONVERT(VARCHAR(12), @toIdx) + ' " +
" ORDER BY RowNum " +
"'; " +
" exec sp_executesql @sqll ";
List<Shain> shainList = await _context.Shain.FromSql(queryStr,shainParamsObj.ToArray()).ToListAsync();