正确检查数据库中是否已存在记录
[英]Properly check if a record already exists in a database
问题描述
I have read other questions on this, but it does not help for the most part. 
我已经阅读了其他问题,但这在大多数情况下并没有帮助。 Trying to check if a file has already been uploaded(filename is sent to this table) before creating another record and allowing them to upload the same file again. 在创建另一个记录并允许他们再次上传同一文件之前,尝试检查文件是否已经上传(文件名已发送到该表)。
I am using this code and it keeps telling me every file is a new file, even when I use the same file for testing. 我正在使用此代码,即使我使用同一文件进行测试,它仍会告诉我每个文件都是一个新文件。 Obviously it should result in "Exists". 显然,它应导致“存在”。 Connection is already established using "this.Master.Conn" so please no SQLCommand stuff. 已经使用“ this.Master.Conn”建立了连接,因此请不要使用SQLCommand。
I even tried using wildcards in the query. 我什至尝试在查询中使用通配符。
private string SQLCheck(string FileName)
{
string Check = "Select VideoURL from TrainingVideo2 where VideoURL Like '" + FileName +"' and Status=1;";
Object ob = this.Master.Conn.ExecuteSqlScalarCommand(Check);
string Result;
if (DBNull.Value.Equals(ob))
{
Result = "Exists";
}
else
{
Result = "NewFile";
}
return Result;
}
Also, does anybody have a better(more efficient) way of doing this? 另外,有人有更好(更有效)的方法吗?
Trying to basically rewrite this in c#. 试图从根本上用C#重写它。
Private Function CheckName(name As String) As Int32
Dim sql As String = "SELECT ID FROM Company Where Name Like '" & name & "' "
Dim ob As Object = Conn.ExecuteSqlScalarCommand(sql)
If IsDBNull(ob) Then
Return 0
Else
Return CInt(ob)
End If
End Function
2 个解决方案
解决方案1
1 2014-11-02 17:40:10
Never build up an SQL string like that. 切勿建立这样的SQL字符串。 See SQL injection . 请参见SQL注入 。
Why are you using like ? 你为什么用like ? Do you really have Sql wildcards in that fileName ? 您确实在该fileName有Sql通配符吗?
Example (sorry for the " SqlCommand stuff", but it's important): 示例(对“ SqlCommand东西”很抱歉,但这很重要):
string sql = "select count(*) from TrainingVideo2 where VideoURL = @Name and Status=1"
using (SqlConnection conn = new SqlConnection(connString))
{
SqlCommand cmd = new SqlCommand(sql, conn);
cmd.Parameters.Add("@Name", fileName);
conn.Open();
return (Int32)cmd.ExecuteScalar() > 0;
}
解决方案2
1 已采纳 2014-11-03 04:00:15
There are new and more innovative methods devised to get around the simple "replace all ` and " characters with ..." SQL injection prevention techniques. In your case, if the VideoURL happens to be a varchar (and not nvarchar), then using unicode character U+02BC (URL encoded = %CA%BC ) would pass in a quote character as a unicode string, which would bypass your C# checks, but SQL Server will conveniently convert to a quote character in your query. This is just one example of why you should not be doing this :). 有一些新的和更具创新性的方法可以解决简单的“用...替换所有`和“字符...” SQL注入预防技术。在您的情况下,如果VideoURL恰好是varchar(而不是nvarchar),则使用unicode字符U+02BC (URL编码= %CA%BC )将以引号字符作为unicode字符串传递,这将绕过C#检查,但是SQL Server会在您的查询中方便地转换为引号字符。这只是一个为什么不应该这样做的示例:)。
In terms of you check, I always prefer using TOP 1 to let SQL Server cut a potential table scan short. 在检查方面,我总是喜欢使用TOP 1来让SQL Server缩短潜在的表扫描时间。 So, I would use this query: 因此,我将使用以下查询:
Select TOP 1 SomeNonNullIntColumn from TrainingVideo2 where VideoURL Like ... and Status=1;
Execute the query with ExecuteScalar. 使用ExecuteScalar执行查询。 If the result is null , then the record does not exist. 如果结果为null ,则该记录不存在。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.