C#|在SqlCommand查询中使用参数

编程问答 2022-06-03

问题描述

我有这个ASP.NET Core项目,并且在我的DAL中,我从数据库中收集数据,但是我希望用户能够键入类型字符(Karakter是荷兰语中的字符),并且DAL应该选择2个随机字符KarakterSoort =“ Defensive”从数据库提取字符。

这是我当前在DAL中的代码

public IEnumerable<IKarakter> GetSortedKarakters()
{
    using (sqlConnection connection = GetConnection())
    {
        connection.open();
        var command = new sqlCommand("SELECT TOP 2 * FROM Karakter WHERE KarakterSoort = 'Defensive' ORDER BY NEWID();",connection);
        var reader = command.ExecuteReader();
        var sortedKarakters = new List<IKarakter>();

        while (reader.Read())
        {
            var karakter = new KarakterDTO
            {
                KarakterId = (int)reader["KarakterId"],KarakterSoort = reader["KarakterSoort"]?.ToString(),KarakterNaam = reader["KarakterNaam"]?.ToString()
            };

            sortedKarakters.Add(karakter);
        }

        return sortedKarakters;
    }
}

这就是我认为应该朝解决方案的正确方向前进的方向:

public IEnumerable<IKarakter> GetSortedKarakters(string givenStringFromUser)
{
    using (sqlConnection connection = GetConnection())
    {
        connection.open();
        var command = new sqlCommand("SELECT TOP 2 * FROM Karakter WHERE KarakterSoort = givenStringFromUser ORDER BY NEWID();",KarakterNaam = reader["KarakterNaam"]?.ToString()
            };

            sortedKarakters.Add(karakter);
        }

        return sortedKarakters;
    }
}

我找不到如何使它工作的方法,所以我想在这里问我一个问题。

解决方法

您需要添加SqlParameter并设置其值:

public IEnumerable<IKarakter> GetSortedKarakters(string givenStringFromUser)
{
    using (SqlConnection connection = GetConnection())
    {
        var command = new SqlCommand("SELECT TOP 2 * FROM Karakter WHERE KarakterSoort = @UserInput ORDER BY NEWID();",connection);
        command.Parameters.Add("@UserInput",SqlDbType.VarChar,100).Value = givenStringFromUser;

        connection.Open();
        var reader = command.ExecuteReader();
        var sortedKarakters = new List<IKarakter>();

        while (reader.Read())
        {
            var karakter = new KarakterDTO
            {
                KarakterId = (int)reader["KarakterId"],KarakterSoort = reader["KarakterSoort"]?.ToString(),KarakterNaam = reader["KarakterNaam"]?.ToString()
            };

            sortedKarakters.Add(karakter);
        }

        connection.Close();

        return sortedKarakters;
    }
}
,

您必须将过滤器值提供给sql查询。另外,请勿将其直接放在查询字符串中,而应使用SqlCommand参数。这样可以节省不必要的sql注入。

类似的事情应该起作用:

public IEnumerable<IKarakter> GetSortedKarakters(string givenStringFromUser)
{
    using (SqlConnection connection = GetConnection())
    {
        connection.Open();
        var command = new SqlCommand("SELECT TOP 2 * FROM Karakter WHERE KarakterSoort = @filterValue ORDER BY NEWID();",connection);
        command.Parameters.Add("@filterValue",SqlDbType.VarChar).Value = givenStringFromUser;
        
        var reader = command.ExecuteReader();
        var sortedKarakters = new List<IKarakter>();
        while (reader.Read())
        {
            var karakter = new KarakterDTO
            {
                KarakterId = (int)reader["KarakterId"],KarakterNaam = reader["KarakterNaam"]?.ToString()
            };
            sortedKarakters.Add(karakter);
        }
        return sortedKarakters;
    }
}
asp.net-corec#c#parameterssql-serversqlcommandsqlcommand