在MySQL参数中使用OR语句
[英]Using OR Statement in MySQL Parameter
问题描述
I'm trying construct a MySQL query in my C# application, I'm wondering if it's possible to use OR statement in a MySQL parameters. 
我正在尝试在我的C#应用程序中构造MySQL查询,我想知道是否可以在MySQL参数中使用OR语句。
I have a list of names, and I want to check and see what are the names that exist in the database already. 我有一个名单列表,我想检查并查看数据库中已存在的名称。 Here's a short example 这是一个简短的例子
List<string> names = new List<string> {"adam", "bob", "cathy"}; //actual list is much longer
MySqlConnection connection = getAndOpenConnection();
MySqlCommand command = connection.CreateCommand();
command.CommandText = "SELECT * FROM Employees WHERE name = @names";
command.Parameters.Add(new MySqlParameters("@names", String.Format("names = {0}", String.Join(names, " or name = ")))); //is this line legal?
My original idea is to construct the command text this way: 我最初的想法是以这种方式构造命令文本:
command.CommandText = String.Format("SELECT * FROM Employees WHERE name = '{0}'", String.Join(names, "' or name = '"))
The code will give me the correct command text I want, but I really want to prevent SQL injection. 代码将为我提供我想要的正确命令文本,但我真的想防止SQL注入。
Can someone please help me out on how to construct the MySqlCommand properly? 有人可以帮我解决一下如何正确构建MySqlCommand吗?
1 个解决方案
解决方案1
3 已采纳 2014-06-27 16:10:27
Not easily, no. 不容易,没有。 You need to make that an IN query, which is a pain to do with parameterization (which you really should do). 你需要进行一个IN查询,这是一个很难处理参数化(你真的应该这样做)。 Basically, you have two options: 基本上,您有两种选择:
- build the appropriate command and parameters based on the array size 根据数组大小构建适当的命令和参数
- use a tool that will do it for you 使用一个可以帮到你的工具
The latter is easier; 后者更容易; with "dapper", this is just: 与“小巧玲珑”,这只是:
connection.Query("SELECT * FROM Employees WHERE name in @names", new { names })
.ToList();
(which will be a List<dynamic> ; if you have an Employee class that matches the columns, you can use connection.Query<Employee>(...).ToList() to get a List<Employee> instead). (这将是一个List<dynamic> ;如果你有一个与列匹配的Employee类,你可以使用connection.Query<Employee>(...).ToList()来获取List<Employee> 。
The former, though, is more like (for a simple version): 不过,前者更像(简单版本):
var sb = new StringBuilder("SELECT * FROM Employees WHERE name=@name0");
cmd.Parameters.AddWithValue("name0", names[0]);
for(int i = 1; i < names.Count ; i++) {
sb.Append(" or name=@name").Append(i);
cmd.Parameters.AddWithValue("name" + i, names[i]);
}
cmd.CommandText = sb.ToString();
There are a few other ways of doing that too: 还有其他一些方法可以做到这一点:
switch(names.Count)
{
case 0: cmd.CommandText = "SELECT * FROM Employees"; break;
case 1:
cmd.CommandText = "SELECT * FROM Employees WHERE name=@name";
cmd.Parameters.AddWithValue("name", names[0]);
break;
default:
var sb = new StringBuilder(
"SELECT * FROM Employees WHERE name IN (@name0")
cmd.Parameters.AddWithValue("name0", names[0]);
for(int i = 1;i<names.Count;i++) {
sb.Append(",@name").Append(i);
cmd.Parameters.AddWithValue("name" + i, names[i]);
}
cmd.CommandText = sb.Append(")").ToString();
break;
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.