0

基本上,如果参数以 NULL 形式出现,我想将其作为数据库 NULL 发送到数据库。因此(查看下面代码中的注释):

[HttpPost]
    public void UpdateTitle(Title title)
    {
      string query = null;
      string description = "";
      string episodeAKA = "";

      if (title.Description != null)
      {
        description = "'" + title.Description + "'";
      }
      else
      {
        //here's where description should be a DBNULL. 
      }

      if (title.EpisodeAKA == null)
      {
        title.EpisodeAKA = "NULL";
      }

      myConnection.Open();
      if (title.Operation == 'U')
      {
        query = "UPDATE dbo.AWD_Titles SET AwardStatusId = " + title.AwardStatus + ", Description = " + description + ", IsVerified = " + title.IsVerified + ", EpisodeAKA = '" + title.EpisodeAKA + "' WHERE AwardTitleId = " + title.AwardTitleId + " SELECT SCOPE_IDENTITY()";
      }
      var cmd = new SqlCommand(query, myConnection);
      cmd.ExecuteScalar();
      myConnection.Close();
    }
  }

这是 Title 的类:

public class Title
{
  public int AwardTitleId
  {
    get;
    set;
  }

  public int AwardStatus
  {
    get;
    set;
  }

  public int IsVerified
  {
    get;
    set;
  }

  public string EpisodeAKA
  {
    get;
    set;
  }

  public string Description
  {
    get;
    set;
  }

  public char Operation
  {
    get;
    set;
  }
}
4

5 回答 5

6

原始代码有几个基本错误。这演示了如何正确操作,包括如何设置 DBNull:

[HttpPost]
public void UpdateTitle(Title title)
{
    string query; 
    if (title.Operation == 'U')
    {
        query = 
            "UPDATE dbo.AWD_Titles" + 
            " SET AwardStatusId = @AwardStatusID , Description = @Description , IsVerified= @IsVerified , EpisodeAKA= @EpisodeAKA" + 
            " WHERE AwardTitleId= @AwardTitleId ;" + 
            " SELECT SCOPE_IDENTITY();";
    } else {
       query="";
       //presumably you have a slightly different query string for inserts.
       //Thankfully, they should have pretty much the same set of parameters.
       //If this method will really only be called for updates, the code is quite a bit simpler
    }

    //instead of a shared myConnection object, use a shared connection string.
    // .Net is set up so that you should be creating a new connection object for most queries.
    // I know it sounds backwards, but that's really the right way to do it.
    // Create the connection in a using(){} block, so that you guarantee it is
    //    disposed correctly, even if an exception is thrown.
    using (var cn = new SqlConnection(myConnectionString))
    using (var cmd = new SqlCommand(query, cn))
    {
        //guessing at database types, lengths here. Fix with actual column types
        cmd.Parameters.Add("@AwardStatusId", SqlDbType.Int).Value = title.AwardStatus;
        cmd.Parameters.Add("@Description", SqlDbType.NVarChar, 250).Value = title.Description;
        cmd.Parameters.Add("@IsVerified", SqlDbType.Bit).Value = title.IsVerified;
        cmd.Parameters.Add("@EpisodeAKA", SqlDbType.NVarChar, 100).Value = title.EpisodeAKA;
        cmd.Parameters.Add("@AwardTitleId", SqlDbType.Int).Value = title.AwardTitleId;

        //-------------
        //This is the part that actually answers your question
        foreach (var p in cmd.Parameters.Where(p => p.Value == null))
        {
            p.Value = DBNull.Value;
        }
        //-------------

        cn.Open();
        cmd.ExecuteScalar();
    }
}
于 2013-09-20T20:42:37.370 回答
1

好吧,使用您拥有的代码,您可以null在 SQL 代码中使用:

description = "null";

但是,您应该真正使用参数化查询,而不是将值连接到 SQL 代码中。如果任何数据来自用户输入,则您的代码很容易受到 SQL 注入攻击。

对于您DBNull.Value用于空值的参数值,因此保存它的变量必须是一个对象:

object description;

if (title.Description != null) {
  description = title.Description;
} else {
  description = DBNull.Value; 
}

SqlParameter现在您可以在对象中使用该值。

于 2013-09-20T20:30:02.410 回答
1

好的,第一件事。您的代码要求进行 SQL 注入攻击。使用参数化查询

到问题本身。如果您想要的是数据库 NULL,则需要传递值 DBNull.Value。您可以使用辅助函数您的字符串转换为适当的值。

private object ConvertToDbReadyString(string value)
{
    if(value=="NULL")
        return DBNull.Value;
    else
        return value;
}
于 2013-09-20T20:31:26.213 回答
0 
if (title.Description != null)
      {
        description = "'" + title.Description + "'";
      }
      else
      {
        //here's where description should be a DBNULL. 
      }

试试这个:

description = title.Description ?? string.Empty;
于 2013-09-20T20:31:12.457 回答
0 
string variableValue == string.IsNullOrEmpty(stringValue) ? null : "Hello";
于 2017-07-25T04:02:26.293 回答