将参数值作为SQL Server中的where子句传递

Question

I want to pass Parameter value as Where Clause in SQL Server . If I am passing values directly in Query, then It is showing me results but after using it with SQLCommand and StorecProcedure , It is not returning any value.

Please help me to solve this issue.

My Query :

Select top 15 UserId, (FirstName + ' ' + LastName) as Name from tblUser Where  + @AllUserIds + (FirstName + ' ' + LastName) LIKE @Search1 + '%' AND (FirstName + ' ' + LastName) LIKE '%' + @Search2 + '%'

@Search1='abc'
@Search2=''
@AllUserIds=UserId!=2869 AND UserId!=1 AND

C# Code :

SqlCommand cmd = new SqlCommand();
cmd.Connection = con;
cmd.CommandType = CommandType.StoredProcedure;
cmd.CommandText = "sp_Teacher_App";

cmd.Parameters.Add("@Search1", SqlDbType.VarChar, 50).Value = Search1;
cmd.Parameters.Add("@Search2", SqlDbType.VarChar, 50).Value = Search2;

AllUserIds = "UserId!=" + AllUserIds.Replace(",", " AND UserId!=") + " AND ";
cmd.Parameters.Add("@AllUserIds", SqlDbType.VarChar).Value = AllUserIds;
cmd.Parameters.Add("@Mode", SqlDbType.VarChar, 30).Value = "GetUserSuggestions";

Answer 1

Complex queries involving flexible numbers of parameters are tricky. Fortunately, tools like "dapper" can help you here. It looks like you want to do something like the following:

int[] userIds = new[] {1,2,3,4};
var query = conn.Query(@"
Select top 15 UserId, (FirstName + ' ' + LastName) as Name
from tblUser Where UserId not in @userIds
and (FirstName + ' ' + LastName) LIKE @Search1 + '%'
and (FirstName + ' ' + LastName) LIKE '%' + @Search2 + '%'",
    new { userIds, Search1, Search2 });

foreach(var row in query) {
    Console.WriteLine((int)row.UserId);
    Console.WriteLine((string)row.Name);
}

Note the things dapper does to help us here:

• clean parameterization
• parameter expansion of the userIds parameter
• result binding ( dynamic in this case, but typed binding is also supported)

Answer 2

The better approach would be use a dynamic SQL to build a query in stored proc.

ALTER Procedure [dbo].[sp_Teacher_App]
    @AllUserIds nvarchar(100),
    @Search1 nvarchar(100),
    @Search2 nvarchar(100),
As
    SET NOCOUNT ON
    declare @selectCols nvarchar(500), @wherClause nvarchar(300), @fromClause   varchar(50)
    set @selectCols = 'Select top 15 UserId, (Firstname' + '+ ' +  'LastName) as Name' 
    set @fromClause = ' tblUser '        --you can even pass this as  a param
    set @wherClause = @AllUserIds 
    set @query = @selectCols + 'from ' + @fromClause +  ' where ' + @wherClause 
    exec(@query)

    SET NOCOUNT OFF

Answer 3

Try a few more brackets. If that doesn't work, remove all the where conditions and tyhen add them back in one at a time to help you diagnose where the issue stems from.

Select top 15 UserId, (FirstName + ' ' + LastName) as Name 
from tblUser 
Where 
(
@AllUserIds + 
((FirstName + ' ' + LastName) LIKE @Search1 + '%' )
AND 
((FirstName + ' ' + LastName) LIKE '%' + @Search2 + '%')
)