我在使用sql server全文功能时遇到问题。我正在转换一些论坛软件以使用全文搜索,我有一切设置和工作。我的问题与全文查询有关。当我在sql server management studio中使用CONTAINS谓词来测试它们时,我设计了一些根据需要运行的查询,例如:
Select ....
From .....
WHERE Contains(p.Message,'" dog food "' ) ......
所以这样运行正常,但我如何在预准备语句中对此进行参数化?理想情况下,我希望能够使用where子句运行查询:
Select ....
From .....
WHERE Contains(p.Message,'" @SearchTerm "' ) ...
甚至
WHERE Contains(p.Message,'"@SearchTerm" Near "@OtherSearchTerm" ) ...
但是这种方法不起作用,因为双引号和所有。我可以在代码中动态构建搜索项,但出于安全原因,我确实需要为所有用户输入使用参数。我已经看过一个试图寻找解决方案但仍然无法找到解决方案的google结果(当然这必须发生在每个人身上,或者我错过了一些非常明显的东西和/或它是不可能的)。有任何想法吗?
答案 0 :(得分:3)
使用参数创建存储过程,例如:
CREATE PROCEDURE [sp_FullTextSearch]
@SearchTerm nvarchar(500)
AS
BEGIN
Select ....
From .....
WHERE Contains(p.Message, @SearchTerm)
END
然后从您的代码中调用它。
HOW TO: Call SQL Server Stored Procedures in ASP.NET by Using Visual C# .NET
答案 1 :(得分:0)
字符串连接怎么样?
WHERE Contains(p.Message, '"' + @SearchTerm + '" Near "' + @OtherSearchTerm + '"')
答案 2 :(得分:0)
此答案演示了使用Enterprise Library 5.0在VB.NET中进行参数化的SQL Server全文搜索;并进一步显示为每个“对象类型”返回十行(想想人,地点和事物)。
给出下表和全文索引:
CREATE TABLE [dbo].[SearchIndexes](
[SearchIndexId] [int] IDENTITY(1,1) NOT NULL,
[ObjectKey] [nvarchar](50) NOT NULL,
[ObjectText] [nvarchar](4000) NOT NULL,
[CreateDate] [datetime] NOT NULL,
[ObjectTypeId] [int] NOT NULL,
CONSTRAINT [PK_SearchIndexes] PRIMARY KEY CLUSTERED
(
[SearchIndexId] ASC
)WITH (PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON) ON [PRIMARY]
) ON [PRIMARY]
GO
CREATE FULLTEXT INDEX ON [dbo].[SearchIndexes](
[ObjectText] LANGUAGE [English])
KEY INDEX [PK_SearchIndexes] ON ([MyDbFullTextCatalog], FILEGROUP [PRIMARY])
WITH (CHANGE_TRACKING = AUTO, STOPLIST = SYSTEM)
代码:
Public Function FullTextSearch(text As String) As System.Collections.Generic.List(Of String)
Const SqlFormat As String = "with RankCte as (select ObjectText, Row_number() over (Partition BY ObjectTypeId ORDER BY ObjectText ) AS RowNum FROM dbo.SearchIndexes where contains(ObjectText, @ObjectTextParameter)) SELECT ObjectText FROM RankCte where RowNum <= 10"
Const ParameterFormat As String = """{0}*"""
Dim db = Databases.MyDb
Using command = db.GetSqlStringCommand(SqlFormat)
Dim parameterValue = String.Format(Globalization.CultureInfo.InvariantCulture, ParameterFormat, text)
'parameterValue should now be something like "search*" (includes the double quotes)
db.AddInParameter(command, "ObjectTextParameter", DbType.String, parameterValue)
Using reader = db.ExecuteReader(command)
Dim results As New List(Of String)
Do While reader.Read()
results.Add(reader(0).ToString)
Loop
Return results
End Using
End Using
End Function