剃刀和CSHTML：如何为select语句执行db.Execute？

Question

I am doing a quick CSHTML page for the purpose of testing.

I need to access database based on the id parameter on the URL:

var id = Request.QueryString["id"];
var db = Database.Open("mydatabase_connection");
var query = "select * from myrecord where id =  " + id;
var row = db.QuerySingle(query);

//i am able to display the field (called name) of the selected record in the following way:

@row.name

Obviously, the above approach is subject to security attack. I am hoping to retrieve the record the following way:

var query = "select * from myrecord where id=@0";
var row = db.Execute(query, id);

However, I get runtime error when retrieving the field value:

@row.name

What is the correct way of getting the "row" in the second approach?

Thanks and regards.

Answer 1

Database.Execute is for executing a non-query SQL statement and returns the count of records affected by the SQL statement as an Int .

I think the method you want to use really is Database.QuerySingle , which returns an Object .

ie.

var query = "select * from myrecord where id=@0";
var row = db.QuerySingle(query, id);

Razor:

  @row.name

---

As far as safety from SQL injection goes, this approach is safe. You are passing the URL value into your query as a parameter .

The unsafe way to run the query would be with string concatenation:

   var query = "select * from myrecord where id=" + id; 

Don't do this! It allows for a malicious user to append SQL statements to your query! Always use parameterized queries instead.