如何在C#中使用动态查询?从我搜索过的内容到我们使用带有参数的SqlCommand来防止sql注入(例如下面的例子)。
using (SQLiteConnection DB_CONNECTION = new SQLiteConnection(connectionString))
{
DB_CONNECTION.Open();
string sqlquery = "UPDATE table SET Name =@Name, IsComplete=@IsComplete WHERE Key =@Key;";
int rows = 0;
using (SQLiteCommand command = new SQLiteCommand(sqlquery, DB_CONNECTION))
{
SQLiteParameter[] tableA = { new SQLiteParameter("@Key", todo.Key), new SQLiteParameter("@Name", table.Name), new SQLiteParameter("@IsComplete", table.IsComplete) };
command.Parameters.AddRange(tableA);
rows = command.ExecuteNonQuery();
}
DB_CONNECTION.Close();
return (rows);
}
我是c#的新手,我想知道如何才能完成这项工作,提前谢谢。
答案 0 :(得分:0)
基本上只是根据一组条件构建字符串sqlQuery,并确保已设置适当的参数。例如,这里有一些psuedo-C#(没有测试bug):
//Set to true, so our queries will always include the check for SomeOtherField.
//In reality, use some check in the C# code that you would want to compose your query.
//Here we set some value we want to compare to.
string someValueToCheck = "Some value to compare";
using (SQLiteConnection DB_CONNECTION = new SQLiteConnection(connectionString))
{
DB_CONNECTION.Open();
string sqlquery = "UPDATE MyTable SET Name =@Name, IsComplete=@IsComplete WHERE Key =@Key";
//Replace this with some real condition that you want to use.
if (!string.IsNullOrWhiteSpace(someValueToCheck))
{
sqlquery += " AND SomeOtherField = @OtherFieldValue"
}
int rows = 0;
using (SQLiteCommand command = new SQLiteCommand(sqlquery, DB_CONNECTION))
{
//Use a list here since we can't add to an array - arrays are immutable.
List<SQLiteParameter> tableAList = {
new SQLiteParameter("@Key", todo.Key),
new SQLiteParameter("@Name", table.Name),
new SQLiteParameter("@IsComplete", table.IsComplete) };
if (!string.IsNullOrWhiteSpace(someValueToCheck)) {
//Replace 'someValueToCheck' with a value for the C# that you want to use as a parameter.
tableAList.Add(new SQLiteParameter("@OtherFieldValue", someValueToCheck));
}
//We convert the list back to an array as it is the expected parameter type.
command.Parameters.AddRange(tableAList.ToArray());
rows = command.ExecuteNonQuery();
}
DB_CONNECTION.Close();
return (rows);
}
在这个时代,可能值得研究LINQ to Entities,因为这可以帮助您在代码中动态撰写查询 - 例如https://stackoverflow.com/a/5541505/201648。
设置现有数据库 - 也称为&#34;数据库优先&#34; - 请参阅以下教程: https://msdn.microsoft.com/en-au/data/jj206878.aspx
您可以跳过第1步,因为您已有数据库,或者首先将整个教程作为练习。
这是一些psuedo-C#LINQ代码,可以执行与前一个示例大致相同的更新:
//The context you have setup for the ERP database.
using (var db = new ERPContext())
{
//db is an Entity Framework database context - see
//https://msdn.microsoft.com/en-au/data/jj206878.aspx
var query = db.MyTable
.Where(c => c.Key == todo.Key);
if (!string.IsNullOrWhiteSpace(someValueToCheck))
{
//This where is used in conjunction to the previous WHERE,
//so it's more or less a WHERE condition1 AND condition2 clause.
query = query.Where(c => c.SomeOtherField == someValueToCheck);
}
//Get the single thing we want to update.
var thingToUpdate = query.First();
//Update the values.
thingToUpdate.Name = table.Name;
thingToUpdate.IsComplete = table.IsComplete;
//We can save the context to apply these results.
db.SaveChanges();
}
实体框架涉及一些设置,但根据我的经验,语法更容易遵循,您的工作效率会提高。希望这能让你走上正轨。
LINQ to Entites也可以映射SQL存储过程,如果出于性能原因,您的团队中有人反对使用它:
https://msdn.microsoft.com/en-us/data/gg699321.aspx
或者,如果您绝对在C#代码中撰写自定义查询,则在实体框架中也允许这样做:
https://msdn.microsoft.com/en-us/library/bb738521(v=vs.100).aspx