0

我试图将我的 sql 语句存储在资源文件夹中的 .sql 文件中,

我需要将 2 个值传递给 sql 命令,但我很难做到这一点

我的sql如下:

SELECT * FROM claim_header WHERE @columnname = @testcase;

我的班级称它为:

class DataValidation
{
    public string testCase { get; set; }
    public string elementName { get; set; }
    public string fileDestination = ConfigurationSettings.AppSettings["ValidationReportDestination"];
    public List<string> testCasesList = new List<string>();

    public void PrintValidationResults()
    {
        int counter = 0;
        SqlConnection sqlConnection = new SqlConnection(constring);
        string sqlConnectionStringPassed = "select * from claim_header";
        string sqlConnectionStringFailed = "select * from dbo.[SSIS Exception Info] where data_entity_name like '%CLAIM%' and package_name like '%Extract%' order by 1 desc;";
        SqlDataReader myReaderPassed, myReaderFailed = null;
        SqlCommand sqlCommandPassed = new SqlCommand(sqlConnectionStringPassed, sqlConnection);
        SqlCommand sqlCommandFailed = new SqlCommand(sqlConnectionStringFailed, sqlConnection);

        string sqlPass = EmbeddedResource.GetString("PassQuery.sql");
        SqlCommand cmd = new SqlCommand(sqlPass,sqlConnection);

        cmd.Parameters.AddWithValue("@testcase", "'" + testCasesList[counter] + "'");
        cmd.Parameters.AddWithValue("@columnname", elementName);

        try
        {
            sqlConnection.Open();
            myReaderPassed = sqlCommandPassed.ExecuteReader();
            myReaderFailed = sqlCommandFailed.ExecuteReader();
            object query = cmd.ExecuteScalar();
            string test = cmd.CommandText;

            //Print Passed Results
            Directory.CreateDirectory(fileDestination);
            using (StreamWriter resultWriter = new StreamWriter((fileDestination + elementName + ".txt"), true))
            {
                    while (myReaderPassed.Read())
                    {
                        foreach (string testCase in testCasesList)
                        {
                            if (myReaderPassed[elementName].ToString() == testCase)
                            {
                                {
                                    resultWriter.WriteLine("Field: " + elementName.ToString());
                                    resultWriter.WriteLine("Test Case: " + testCasesList[counter]);
                                    resultWriter.WriteLine("Passed:" + "Yes");
                                    resultWriter.WriteLine("Test: " + cmd.ExecuteScalar());
                                }
                            }
                        }
                        counter++;
                    }           
                }
            }           

        catch (Exception e)
        {
            MessageBox.Show(e.ToString());
        }

    }

在这一行: object query = cmd.ExecuteScalar(); 查询始终显示为空。如果我不通过任何参数,该语句是否完美?我错过了什么?

4

3 回答 3

0

创建参数时不需要加单引号

改变

cmd.Parameters.AddWithValue("@testcase", "'" + testCasesList[counter] + "'");


cmd.Parameters.AddWithValue("@testcase", testCasesList[counter]);
于 2013-06-03T16:06:55.653 回答
0

没有看到你的 SQL 语句,很难说。但是,我敢说这是您的字符串处理中的一个错误。你有这条线:

cmd.Parameters.AddWithValue("@testcase", "'" + testCasesList[counter] + "'");

You are explicitly wrapping your string in ''s. This is unnecessary when using command parameters. Any escaping that needs to be done will be performed by the .NET data provider (although it's likely no escaping is necessary -- most RDBMSes provide a means to pass parameters directly without them being converted to strings and inserted into the SQL).

于 2013-06-03T16:07:28.333 回答
0

While it's not exactly going to prevent your query from running, I don't think you will get the result you're after because you can't parameterize a column name, so your query will have to take the form:

SELECT * FROM claim_header WHERE columnname = @testcase;

And you have one or more queries depending on what column you want to search by

If you provide an SQL like:

SELECT * FROM claim_header WHERE @columnname = @testcase;

the only thing you can really do with such a query is set the two parameters to the same value (in which case you will get all rows from the table, because it's like saying SELECT * FROM table WHERE 1=1 ) or set them to different values, in which case you will get 0 rows in your results (because it's like saying SELECT * FROM table WHERE 1=0)

If you want dynamic column names, you're really going to have to make your SQL in your resource file like this:

SELECT * FROM claim_header WHERE {0} = @testcase;

And your code like this:

string sqlCommand = string.Format(Resources.Whatever.SQL, elementName);

Thus the {0} is replaced with "claim_id" or similar.. But be aware of the dangers of SQL injection

于 2013-06-03T16:07:32.670 回答