[英]How to pass in sql “like” condition from c# with single quotes
I have string variable in c# 我在C#中有字符串变量
String Condition = " And LoginName like ''%"+txtLoginName.text+"%''";
I pass this condition variable to a stored procedure like this: 我将此条件变量传递给这样的存储过程:
SqlCommand cmd = new SqlCommand();
cmd.CommandText = "GetAllUserMasterBySearch";
cmd.CommandType = CommandType.StoredProcedure;
cmd.Parameters.AddWithValue("@Condition ", Condition );
And my stored procedure is here: 我的存储过程在这里:
create PROCEDURE [dbo].[GetAllUserMasterBySearch] (
@Condition nvarchar(max)
)
as
declare @Query nvarchar(max)
set @Query = 'SELECT
[UserMasterId], [LoginName], [UserName],
[UserType], [MobileNo], [Email],
[IsLogin], [IpAddress]
FROM
UserMaster
WHERE
IsActive = 1 ' + @Condition
print @query
EXEC sp_executesql @Query
How to pass "like" condition from C# ? 如何通过C#传递“喜欢”条件?
You can pass only variable and rewrite your SP as following 您只能传递变量并按以下方式重写SP
alter PROCEDURE [dbo].[GetAllUserMasterBySearch] (
@var nvarchar(max)
) as
declare @Query nvarchar(max)
set @Query = 'SELECT
[UserMasterId]
,[LoginName]
,[UserName]
,[UserType]
,[MobileNo]
,[Email]
,[IsLogin]
,[IpAddress]
FROM
UserMaster
WHERE
IsActive=1 AND LoginName LIKE %' + @var + '%';
print @query
EXEC sp_executesql @Query
Update: If you want to play with dynamic SQL then try ''' instead of ''. 更新:如果要使用动态SQL,请尝试使用“''而不是“”。 Honestly I haven't deal with dynamic SQL for a while since it it terrible and not secure approach (as it was already mentioned in comments) 老实说,我已经有一段时间没有处理动态SQL了,因为它是一种糟糕且不安全的方法(正如注释中已经提到的那样)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.