0

我有一个我正在从事的项目,但不是我创建的。作为一个整体,我对 C# 和 ASP.NET 还是比较陌生。我面临着这个 SQL 查询:

var sql = @"SELECT * FROM [database] WHERE [submitDate] >= Convert(datetime,'20130301')";

var sql = @"SELECT * FROM (SELECT ROW_NUMBER() OVER(ORDER BY id)AS rowNum, * FROM [webDBs].[dbo].[employeeRecognition] WHERE [submitDate] >= Convert(datetime,'20130301')
) AS E
WHERE rowNum >= {0}
AND rowNum < {1}";

这些当然完全符合预期。然而,我需要做的是使 2013 年的部分Convert(datetime,'20130301')实际上等于当前的,这样我们就不必每年都更新这个查询。

根据我有限的经验,我首先尝试在 C# 变量中连接,但这不仅不起作用,而且经过一些研究,我了解到该方法可能成为潜在 SQL 注入的开端。

我读了一些关于参数化 SQL 查询的内容,但我在上面看到的所有内容都让我相信我必须首先重写/重新考虑如何从数据库中提取这些数据。

关于如何实现我的目标的任何建议?

这是我正在使用的:

protected string RecordCount()
        {
            EmployeeRecognitionDataContext db = new EmployeeRecognitionDataContext();

            var sql = @"SELECT * FROM [database] WHERE [submitDate] >= Convert(datetime,'20130301')";

            var query = db.ExecuteQuery<employeeRecognition>(sql);

            //return "[{\"count\":\"" + query.Count() + "\"}]";
            return query.Count().ToString();
        }

第二个功能var用于:

 protected string SelectRecords(int startIndex, int pageSize) {

            int rowNum = startIndex + pageSize;

            EmployeeRecognitionDataContext db = new EmployeeRecognitionDataContext();

            var sql = @"SELECT * FROM (
                        SELECT ROW_NUMBER() OVER(ORDER BY id)AS rowNum, * FROM [database] WHERE [submitDate] >= Convert(datetime,'20130301')
                        ) AS E
                        WHERE rowNum >= {0} 
                        AND rowNum < {1}";

            var query = db.ExecuteQuery<employeeRecognition>(sql, startIndex, rowNum);

            List<Employee> eList = new List<Employee>();

            foreach (var employee in query)
            {
                eList.Add(new Employee { 
                    value = employee.id.ToString(),
                    firstName = employee.firstName, 
                    lastName = employee.lastName, 
                    department = employee.department,
                    drop = employee.shortAchievement, 
                    recognition = employee.longAchievement,
                    submitDate = employee.submitDate.ToString()
                });

            }

            JavaScriptSerializer serializer = new System.Web.Script.Serialization.JavaScriptSerializer();

            return serializer.Serialize(eList);
        }
4

2 回答 2

2

I don't know what the rest of your code looks like but here's a possible example of using parameters. 

using (SqlConnection connection = new SqlConnection("<connection string>"))
{
    var cmd = connection.CreateCommand();
    cmd.CommandText = @"SELECT * FROM [database] WHERE [submitDate] >= @myDate";
    DateTime myDate = DateTime.Parse("<date string>");
    cmd.Parameters.AddWithValue("@myDate", myDate);
    var reader = cmd.ExecuteReader();
    /* etc. */
}
于 2013-08-28T17:23:25.400 回答
1

您可以更改生成该字符串的代码。就像是;

   String.Format(@"SELECT * FROM [database] WHERE [submitDate] >= Convert(datetime,'{0}0301')", DateTime.Now.Year.ToString());

将使字符串始终具有当前年份。

String.Format可以在这里找到文档http://msdn.microsoft.com/en-us/library/system.string.format.aspx

它基本上是这样工作的。您调用String.Format的第一个参数是您的字符串。在该字符串中,您放置格式说明符(这{0}是一个格式说明符)。的每个实例{x}都替换为相应的参数。所以,你可以做这样的事情;

   string replacingThreeValues = String.Format("Replacing {0}, {1}, {2}", "one", "two", "three");

这将导致replaceingThreeValues == "Replacing one, two, three". 因此,在您的第二个示例中,var sql = ...您已经放入了一些格式说明符,但您没有调用 Format,也没有传递任何参数来替换这些值。相反,您只会得到一个包含文字 {0} 和 {1} 的字符串。只有当您调用String.Format并传递适当的参数时,这些值才会被您传递的参数替换。

于 2013-08-28T17:08:16.507 回答