问题描述
我有这个ASP.NET Core项目,并且在我的DAL中,我从数据库中收集数据,但是我希望用户能够键入类型字符(Karakter是荷兰语中的字符),并且DAL应该选择2个随机字符KarakterSoort =“ Defensive”从数据库中提取字符。
这是我当前在DAL中的代码:
public IEnumerable<IKarakter> GetSortedKarakters()
{
using (sqlConnection connection = GetConnection())
{
connection.open();
var command = new sqlCommand("SELECT TOP 2 * FROM Karakter WHERE KarakterSoort = 'Defensive' ORDER BY NEWID();",connection);
var reader = command.ExecuteReader();
var sortedKarakters = new List<IKarakter>();
while (reader.Read())
{
var karakter = new KarakterDTO
{
KarakterId = (int)reader["KarakterId"],KarakterSoort = reader["KarakterSoort"]?.ToString(),KarakterNaam = reader["KarakterNaam"]?.ToString()
};
sortedKarakters.Add(karakter);
}
return sortedKarakters;
}
}
这就是我认为应该朝解决方案的正确方向前进的方向:
public IEnumerable<IKarakter> GetSortedKarakters(string givenStringFromUser)
{
using (sqlConnection connection = GetConnection())
{
connection.open();
var command = new sqlCommand("SELECT TOP 2 * FROM Karakter WHERE KarakterSoort = givenStringFromUser ORDER BY NEWID();",KarakterNaam = reader["KarakterNaam"]?.ToString()
};
sortedKarakters.Add(karakter);
}
return sortedKarakters;
}
}
解决方法
您需要添加SqlParameter
并设置其值:
public IEnumerable<IKarakter> GetSortedKarakters(string givenStringFromUser)
{
using (SqlConnection connection = GetConnection())
{
var command = new SqlCommand("SELECT TOP 2 * FROM Karakter WHERE KarakterSoort = @UserInput ORDER BY NEWID();",connection);
command.Parameters.Add("@UserInput",SqlDbType.VarChar,100).Value = givenStringFromUser;
connection.Open();
var reader = command.ExecuteReader();
var sortedKarakters = new List<IKarakter>();
while (reader.Read())
{
var karakter = new KarakterDTO
{
KarakterId = (int)reader["KarakterId"],KarakterSoort = reader["KarakterSoort"]?.ToString(),KarakterNaam = reader["KarakterNaam"]?.ToString()
};
sortedKarakters.Add(karakter);
}
connection.Close();
return sortedKarakters;
}
}
,
您必须将过滤器值提供给sql查询。另外,请勿将其直接放在查询字符串中,而应使用SqlCommand
参数。这样可以节省不必要的sql注入。
类似的事情应该起作用:
public IEnumerable<IKarakter> GetSortedKarakters(string givenStringFromUser)
{
using (SqlConnection connection = GetConnection())
{
connection.Open();
var command = new SqlCommand("SELECT TOP 2 * FROM Karakter WHERE KarakterSoort = @filterValue ORDER BY NEWID();",connection);
command.Parameters.Add("@filterValue",SqlDbType.VarChar).Value = givenStringFromUser;
var reader = command.ExecuteReader();
var sortedKarakters = new List<IKarakter>();
while (reader.Read())
{
var karakter = new KarakterDTO
{
KarakterId = (int)reader["KarakterId"],KarakterNaam = reader["KarakterNaam"]?.ToString()
};
sortedKarakters.Add(karakter);
}
return sortedKarakters;
}
}