0

我需要使用文本文件更新表格。目前,如果我Get-Content从 txt 文件执行然后运行 ​​SQL 更新查询,我的代码可以正常工作,但仅限于小数据的情况。如果文本过长或包含一些特殊字符,则会抛出如下错误:

使用“0”参数调用“ExecuteReader”的异常:“附近的语法不正确
')</td><td style=\"border:1px solid #cccccc\">#fieldValueEmpty($issue.getCustom
字段值($componentTypeCf),'。”
在 C:\Users\d-mansings\Desktop\Scripted Field Configuration\Script\Prod_UpdateS
cript.ps1:78 字符:37
+ $Reader = $Command.ExecuteReader <<<< ()
    + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
    +fullyQualifiedErrorId:DotNetMethodException

以下是我正在使用的代码:

Function DatabaseQueries(){
    #To connect to the SQL database
    $Connection = New-Object System.Data.SQLClient.SQLConnection
    $Connection.ConnectionString = "Server=$IPSource ; Database=$DBNameSource ; User ID=$UserIDSource ; Password=$LoginPwdSource;"
    $Connection.Open()

    #Query to get the ID of the stored script field from propertyentry 
    $Command1 = New-Object System.Data.SQLClient.SQLCommand
    $Command1.Connection = $Connection
    $Command1.CommandText = "SELECT [ID]    FROM [dbo].[propertyentry] WHERE [PROPERTY_KEY]='com.onresolve.jira.groovy.groovyrunner:customfields' "
    $Reader = $Command1.ExecuteReader() 
    while ($Reader.Read()) {
        $ID = $Reader.GetValue($1)
    }

    #To get the updated script file
    $ScriptDir = $ParentDir + '\Script.txt'
    $ScriptData = Get-Content "$ScriptDir"
    $Connection.Close()

    #Query to update the Script in JIRA database 
    $Connection.Open()
    $Command = New-Object System.Data.SQLClient.SQLCommand
    $Command.Connection = $Connection
    $Command.CommandText = @"
    Update [dbo].[propertytext] set [propertyvalue] ='$ScriptData' Where ID=$ID
"@
    $Reader = $Command.ExecuteReader()

    $Connection.Close()
}
4

2 回答 2

1

如果不指定文件内容和数据库结构,则很难编写完整的解决方案。您肯定遇到过某种 SQL 注入。SQL 查询连接被认为是有害的,您应该避免它。使用 ADO.NET 参数传递变量($Command.Parameters.AddWithValue在您的示例中)。请参见以下示例:

function Invoke-Sql(
    $ConnectionString,
    $Query,
    $Parameters
) {
    $conn = New-Object System.Data.SqlClient.SqlConnection -ArgumentList $ConnectionString
    $cmd = New-Object System.Data.SqlClient.SqlCommand -ArgumentList $Query,$conn
    $conn.Open()
    foreach ($arg in $Parameters.GetEnumerator()){
        $cmd.Parameters.AddWithValue($arg.Key, $arg.Value) | Out-Null;
    }
    $reader = $cmd.ExecuteReader()
    if ($reader.Read()) {
      [string[]]$columns = 0..($reader.FieldCount-1) |
          % { if ($reader.GetName($_)) { $reader.GetName($_) } else { "(no name $_)" } }
      do {
        $obj = @{}
        0..($reader.FieldCount-1) | % { $obj.Add($columns[$_], $reader[$_]) }
        New-Object PSObject -Property $obj
      } while ($reader.Read())
    }
    $reader.Dispose()
    $cmd.Dispose()
    $conn.Dispose()
}

Invoke-Sql `
    -ConnectionString "Server=.\SQL2014;Database=Test1;Integrated Security=true" `
    -Query 'SELECT Name, Id [ObjectId], Id + 3, @arg FROM IdNameTest' `
    -Parameters @{arg = 'Some text'''}
Invoke-Sql `
    -ConnectionString "Server=.\SQL2014;Database=Test1;Integrated Security=true" `
    -Query 'UPDATE IdNameTest SET Name=@name WHERE Id=@id' `
    -Parameters @{name = "'DROP DATABASE Death;! %&@!$"; id=1}
于 2016-07-15T11:24:11.257 回答
0

感谢您的回复,我已经找到了一种仅使用替换功能来执行查询的方法,因为它在单个引号之间感到困惑

select REPLACE(Cast(propertyvalue AS varchar(Max)), '''', '''''') FROM [dbo].[propertytext] WHERE ID=$ID
于 2016-07-18T06:12:26.963 回答