0

当我检查 where 条件时,我需要根据 senderId 更新 IsIgnored 字段,它没有识别我从循环中比较的 senderId。它会引发异常,例如不明确的列名“senderid”。指导我解决这个问题。

  foreach (var senderId in senderIdList)
                    {
                        using (var context = new BSoftWEDIIContext())
                        {
                           var ediDocuments = context.EDIDocuments.SqlQuery("Update EDIDocument SET IsIgnored=1 from EDIDocument edi  inner JOIN  FileDetails files on edi.FileDetailsId = files.Id where edi.IsDeleted = 0 and  edi.SenderID =senderId and edi.DocumentTypeID != 3 and edi.DocumentTypeID != 5 and edi.DocumentTypeID != 2 and edi.IsIgnored = 0 and files.IsDeleted = 0" );

                        }

像这样尝试:

 var ediDocuments = context.EDIDocuments.SqlQuery("Update EDIDocument SET IsIgnored=1 from EDIDocument edi  inner JOIN  FileDetails files on edi.FileDetailsId = files.Id where edi.IsDeleted = 0 and  edi.SenderID ='149825353' and edi.DocumentTypeID != 3 and edi.DocumentTypeID != 5 and edi.DocumentTypeID != 2 and edi.IsIgnored = 0 and files.IsDeleted = 0", new SqlParameter
                            {
                                ParameterName = "senderId",
                                DbType = System.Data.DbType.String,
                                Value = senderId
                            });


  foreach (var senderId in senderIdList)
                    {

                        using (var context = new BSoftWEDIIContext())
                        {
                            var ediDocuments = context.EDIDocuments.SqlQuery("Update EDIDocument SET IsIgnored=1 from EDIDocument edi  inner JOIN  FileDetails files on edi.FileDetailsId = files.Id where edi.IsDeleted = 0 and  edi.SenderID=@senderId and edi.DocumentTypeID != 3 and edi.DocumentTypeID != 5 and edi.DocumentTypeID != 2 and edi.IsIgnored = 0 and files.IsDeleted = 0", new SqlParameter("@senderId", senderId));
4

3 回答 3

0

您需要将 sql 参数添加到查询中。

  using (var context = new BSoftWEDIIContext())
                {
                    foreach (var senderId in senderIdList)
                    {
                        context.EDIDocuments.ExecuteSqlCommand("Update EDIDocument SET IsIgnored=1 from EDIDocument edi  inner JOIN  FileDetails files on edi.FileDetailsId = files.Id where edi.IsDeleted = 0 and edi.SenderID=@senderId and edi.DocumentTypeID != 3 and edi.DocumentTypeID != 5 and edi.DocumentTypeID != 2 and edi.IsIgnored = 0 and files.IsDeleted = 0",
                            new SqlParameter
                            {
                                ParameterName = "senderId",
                                DbType = DbType.Int32,
                                Value = senderId
                            });
                    }
                }
于 2018-12-11T05:35:30.873 回答
0 
  foreach (var senderId in senderIdList)
  {
    using (var context = new BSoftWEDIIContext())
    {
      var ediDocuments = context.EDIDocuments.SqlQuery($"Update EDIDocument SET IsIgnored=1 from EDIDocument edi  inner JOIN  FileDetails files on edi.FileDetailsId = files.Id where edi.IsDeleted = 0 and  edi.SenderID={senderId} and edi.DocumentTypeID != 3 and edi.DocumentTypeID != 5 and edi.DocumentTypeID != 2 and edi.IsIgnored = 0 and files.IsDeleted = 0" );
    }

  }

但是这种方法存在可能的 SQL 注入。

于 2018-12-11T06:21:52.713 回答
0

首先你应该知道的是DbSet.SqlQuery()主要用于执行SELECT语句的方法,该语句根据相应的实体类型(即DbSet名称)返回结果集。如果要执行UPDATE命令之类的操作查询,则应使用Database.ExecuteSqlCommand()withSqlParameter[]数组作为参数,如下例所示:

string rawQuery = @"Update EDIDocument SET IsIgnored = 1 From EDIDocument AS edi  
                 INNER JOIN FileDetails AS files on edi.FileDetailsId = files.Id 
                 where edi.IsDeleted = 0 and edi.SenderID = @senderId 
                 and edi.DocumentTypeID <> 3 and edi.DocumentTypeID <> 5 
                 and edi.DocumentTypeID <> 2 and edi.IsIgnored = 0 and files.IsDeleted = 0";

using (var context = new BSoftWEDIIContext())
{
     foreach (var senderId in senderIdList)
     {
         var queryParams = new List<SqlParameter>();
         queryParams.Add(new SqlParameter("@senderId", senderId));

         var ediDocuments = context.Database.ExecuteSqlCommand(rawQuery, queryParams.ToArray());
     }
}

笔记:

DbSet.SqlQuery()和方法的第二个参数Database.ExecuteSqlCommand()使用object[]数组,因此您需要将参数传递到数组中,而不是直接使用它们。

参考:

使用实体框架执行原始 SQL 查询

于 2018-12-11T07:10:11.950 回答