问题描述
我有代码,可以通过解析文件名来创建索引文件。
此文件名: 25643245_AjaWar_Prav_2_FT_20200701.pdf
将在索引文件中创建以下行: 256432245 | ST | W-HIGH SCHOOL TSCRIPT | @@ TEST-LOCATION \ 25643245_AjaWar_Prav_2_FT_20200701.pdf
问题在于“ 256432245”的第一次解析不是数据库中的主键,因此我必须转换为主键,然后将主键存储在索引文件中以代替“ 256432245”
我有一部分构建索引文件的查询工作正常,但没有一部分查询并返回转换后的ID。如果我只运行只返回一个ID的查询部分,那也可以。我在使查询在“ foreach”中正常工作时遇到问题。
我目前得到的结果是
| ST | W-HIGH中学成绩单| @@ TEST-LOCATION \ 25643245_AjaWar_Prav_2_FT_20200701.pdf
当我想得到的时候:
8992004 | ST | W-高中成绩单| @@ TEST-LOCATION \ 25643245_AjaWar_Prav_2_FT_20200701.pdf
其中'8992004'是SPRIDEN_ID是SQL查询的结果。
感谢您提供的任何帮助。
foreach ($Filename in Get-ChildItem $ImagePath)
{
$Arr = $Filename -split '_'
$reworkedfilename = $Arr[0] + '_' + $Arr[1] + '_' + $Arr[2] + '_' + $Arr[3] + '_' + $Arr[4] + '_' + $Arr[5]
##$reworkedarray2 = $Arr[0] -replace ".pdf","";
Write-host $Arr[0] ##this works because I can see the non-primary ID being returned
#Find Each SPRIDEN_ID translated from CAID
add-type -AssemblyName System.Data.OracleClient
$username = "U"
$password = "P"
$data_source = "DS"
$connection_string = "User Id=$username;Password=$password;Data Source=$data_source"
$statement = "
Select Distinct SPRIDEN_ID
from SARACMT,SPRIDEN
where
SPRIDEN_PIDM = SARACMT_PIDM
and SPRIDEN_CHANGE_IND is null
AND SARACMT_COMMENT_TEXT = '$Arr[0]'
"
##The "AND SARACMT_COMMENT_TEXT = '$Arr[0]'" doesn't work because nothing is being returned in the index file
try{
$con = New-Object System.Data.OracleClient.OracleConnection($connection_string)
$con.Open()
$cmd = $con.CreateCommand()
$cmd.CommandText = $statement
$result = $cmd.ExecuteReader()
# Do something with the results...
$ArrConverted = while ($result.Read()) {
$result.GetString(0)
}
} catch {
Write-Error (“Database Exception: {0}`n{1}” -f `
$con.ConnectionString,$_.Exception.ToString())
} finally{
if ($con.State -eq ‘Open’) { $con.close() }
}
$outputline = $ArrConverted + '|' + $Arr[4] + '|' + $DocType + '|@@'+ $ImagePath + $reworkedfilename | out-file -filepath $IndexFilePath -Encoding "ascii" -append
#>
}
解决方法
仅凭运气我就知道了。
我为$ Arr [0]创建了一个变量
$ Arr0 = $ Arr [0]
然后将新变量放在sql语句的where子句的where子句中:
AND SARACMT_COMMENT_TEXT ='$ Arr0'
这将对在foreach期间解析出的每个项目进行查询。
,您的问题与您如何尝试将变量值注入sql查询字符串有关:
$statement = "
Select Distinct SPRIDEN_ID
from SARACMT,SPRIDEN
where
SPRIDEN_PIDM = SARACMT_PIDM
and SPRIDEN_CHANGE_IND is null
AND SARACMT_COMMENT_TEXT = '$Arr[0]'
"
如果您在此行之后添加write-host $statement
,则会看到它仅替换$Arr
部分,而不是 $Arr[0]
部分,因此您的查询包含像这样:
Select Distinct SPRIDEN_ID
from SARACMT,SPRIDEN
where
SPRIDEN_PIDM = SARACMT_PIDM
and SPRIDEN_CHANGE_IND is null
AND SARACMT_COMMENT_TEXT = '25643245 AjaWar Prav 2 FT 20200701[0]'
代替:
Select Distinct SPRIDEN_ID
from SARACMT,SPRIDEN
where
SPRIDEN_PIDM = SARACMT_PIDM
and SPRIDEN_CHANGE_IND is null
AND SARACMT_COMMENT_TEXT = '25643245’
要获取它来替换{{1}}的值,可以用$Arr[0]
括起来以使用“命令替换”(请参见https://docs.microsoft.com/en-us/powershell/scripting/learn/deep-dives/everything-about-string-substitutions?view=powershell-7#command-substitution),以便查询变为:
$( ... )
话虽如此,您最好使用参数化查询而不是构建动态sql字符串(请参见Oracle Parameterized query in c#),因为从您的代码来看,如果遇到一个SQL注入攻击,它很容易受到sql注入攻击的攻击。故意调皮的文件名(例如$statement = "
Select Distinct SPRIDEN_ID
from SARACMT,SPRIDEN
where
SPRIDEN_PIDM = SARACMT_PIDM
and SPRIDEN_CHANGE_IND is null
AND SARACMT_COMMENT_TEXT = '$($Arr[0])’
)。
有关SQL注入攻击的更多信息,请参见https://blogs.oracle.com/sql/what-is-sql-injection-and-how-to-stop-it。