动态创建一个键值对,然后……然后
[英]Creating a key-value pair dynamically and then… and then
问题描述
Is it possible to create a key-value pair from an HTML radio button and text box value, then insert that pair into an array, then pass that array into a SQL Stored Procedure parameter that adds to the WHERE clause in the SP? 
是否可以通过HTML单选按钮和文本框值创建键值对,然后将其插入数组,然后将该数组传递到添加到SP中WHERE子句的SQL存储过程参数中?
I am building a dashboard app that references one table in the SQL Server DB when it starts. 我正在构建一个仪表板应用程序,该应用程序在启动时会引用SQL Server DB中的一个表。 This brings back the results of a simple select SP. 这将带来简单选择SP的结果。 I am pretty new to SQL so I am "psuedo-coding"(sorry) 我对SQL很陌生,所以我是“伪编码”(对不起)
DECLARE @SelectedDate NVARCHAR(50)
SELECT * FROM Tablename WHERE log_ts > @SelectedDate
However at this point I need to be able to select between 1-4 field names and give them a value to filter by. 但是,在这一点上,我需要能够在1-4个字段名之间进行选择,并为其指定一个值作为过滤依据。
I would love to set up those field names as a radio button, and to prevent injection, screen those inputs against known values in my application before sending them to the server, including inserting default values of the input is null. 我希望将这些字段名称设置为单选按钮,并且为了防止注入,请在将它们输入到服务器之前对照我的应用程序中的已知值筛选这些输入,包括将输入的默认值插入为null。 My thought was to set up an array[string, string] once the screening is done, and pass that array into SQL as an array[field, value].(there would never be a null value).Here is what i would like the array to look like when being sent and all pairs are their default values: 我的想法是在筛选完成后设置一个array [string,string],然后将该数组作为array [field,value]传递给SQL。(永远不会有null值)。这就是我想要的发送时看起来像数组,所有对都是其默认值:
QueryArray = ["application_name","Mobile"]
["login_id","*"]
["log_ts","Datetime.Today"]
["error_level","Exception"]
Then somehow pass it into the where clause like this: 然后以某种方式将其传递给where子句,如下所示:
SELECT *
FROM TableName
WHERE [application_name] = [Mobile]
AND [login_id]=[*]
AND [log_ts]=[Datetime.Today]
AND [error_level]=[Exception]
This is where my brain looks normally for a for-each or something, but SQL if pretty new to me... Any help would be greatly appreciated, even if its just a link to a previous article that I could not find... 这是我的大脑通常在寻找for-each之类的地方,但是SQL对我来说还是很新的...任何帮助将不胜感激,即使它只是我找不到的上一篇文章的链接...
1 个解决方案
解决方案1
1 已采纳 2017-03-10 23:28:37
It sounds like you want to use nullable parameters in conjunction with the coalesce operator. 听起来您想与合并运算符一起使用可为空的参数。 This works well if you have a known set of parameters, and then want to filter against them. 如果您有一组已知的参数,然后想根据它们进行过滤,则此方法效果很好。 So if you know all the possible fields you can search on, which is assuming you know ahead what fields you will display on your UI for people to filter with , then you can actually make a procedure like so: 因此,如果您知道可以搜索的所有可能字段, 即假设您事先知道将在UI上显示哪些字段以供用户过滤 ,则实际上可以执行如下过程:
create procedure [dbo].[MySampleProcedure]
@Property1Value <yourDataType> = null,
@Property2Value <yourDataType> = null,
....
as
begin
select
Col1,
Col2,
...
from
[dbo].[YourTable]
where
Column1Value = coalesce(@Property1Value, Column1Value)
and Column2Value = coalesce(@Property2Value, Column2Value)
....
end
This effectively means that if you omit certain parameters, you can still match based on the parameters you provide. 这实际上意味着,如果省略某些参数,您仍然可以根据您提供的参数进行匹配。 When you receive your set from the UI, you can then match the pairs to parameters and you're off to the races. 当您从UI收到您的设置时,可以将这些对与参数进行匹配,然后就可以开始比赛了。
If your field names are dynamic (not known ahead of time), then it becomes a more difficult issue. 如果您的字段名称是动态的(事先未知),那么它将成为一个更加困难的问题。 In that case, you will likely have to drop to dynamic SQL to accomplish what you want, and construct a query using parameterized SQL, to avoid injection attempts. 在这种情况下,您可能必须使用动态SQL来完成所需的工作,并使用参数化SQL构造查询,以避免注入尝试。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.