使用 system.data.oracleclient 构建良好的搜索查询
[英]Constructing a good search query using system.data.oracleclient
问题描述
I am constructing a search function in a class to be used by several of our asp pages.
我正在一个类中构建一个搜索函数,供我们的几个 asp 页面使用。 The idea is simple, take a search term from the user and query the database for the item.这个想法很简单,从用户那里获取一个搜索词并在数据库中查询该项目。 Currently I am doing this the wrong way, which is vulnerable to SQL injection attacks (and ELMAH is in there to save the day if something goes wrong):目前我这样做是错误的,这很容易受到 SQL 注入攻击(如果出现问题, ELMAH可以挽救这一天):
Public Shared Function SearchByName(ByVal searchterm As String) As DataTable
SearchByName = New DataTable
Dim con As New OracleConnection(System.Configuration.ConfigurationManager.ConnectionStrings("OracleDB").ConnectionString)
Try
con.Open()
Dim SqlStr As String = "select ID_ELEMENT, ELEMENT_NAME from table_of_elements where upper(ELEMENT_NAME) like upper('%" & searchterm & "%')"
Dim cmd As New OracleCommand(SqlStr, con)
SearchByName.Load(cmd.ExecuteReader)
Catch ex As Exception
Elmah.ErrorSignal.FromCurrentContext().Raise(ex)
End Try
con.Close()
con.Dispose()
Return SearchByName
End Function
String concatenation is BAD.字符串连接不好。 Next thing you know, Bobby Tables wrecks my system.接下来你知道, Bobby Tables破坏了我的系统。 Now, the correct way to do this is to to make a proper oracle variable, by putting :searchterm in the string and adding the following line:现在,正确的方法是创建一个合适的 oracle 变量,将 :searchterm 放入字符串中并添加以下行:
cmd.Parameters.Add(New OracleParameter("SEARCHTERM", searchterm))
The problem is since I am using a like statement, I need to be able to have % on either side of the search word, and I can't seem to do that with '%:searchterm%', it just gives an error of ORA-01036: illegal variable name/number.问题是因为我使用了一个类似的语句,我需要能够在搜索词的两边都有 %,而我似乎无法用 '%:searchterm%' 来做到这一点,它只是给出了一个错误ORA-01036: 非法变量名/编号。
Can I parameterize but still have my flexible like statement be a part of it?我可以参数化但仍然让我的灵活 like 语句成为它的一部分吗?
2 个解决方案
解决方案1
5 已采纳 2009-09-15 21:47:51
Instead of doing the concatenation in your VB code, do the concatenation in the SQL statement.不要在 VB 代码中进行连接,而是在 SQL 语句中进行连接。 Then what you're trying to do should work.那么你正在尝试做的应该有效。 Here's some SQL illustrating what I'm talking about:这里有一些 SQL 说明了我在说什么:
select ID_ELEMENT, ELEMENT_NAME
from table_of_elements
where upper(ELEMENT_NAME) like ('%' || upper(:searchterm) || '%')
BTW, you might end up with more efficient queries if you switch the collation on ELEMENT_NAME to case-insensitive and then remove the calls to upper().顺便说一句,如果将 ELEMENT_NAME 上的排序规则切换为不区分大小写,然后删除对 upper() 的调用,则最终可能会得到更有效的查询。
解决方案2
1 2009-09-15 22:13:51
Since you're using oracle, another option would be to use Oracle Text to perform the search.由于您使用的是 oracle,另一种选择是使用Oracle Text来执行搜索。
It can take a bit to set up properly, but if you have a large amount of text to search, or have some sort of structured data, it can offer you many more options than a simple wild-card comparison.正确设置可能需要一些时间,但是如果您有大量文本要搜索,或者有某种结构化数据,它可以为您提供比简单的通配符比较更多的选择。
It also has some nice features for dealing with multiple languages, if you happen to have that problem as well.如果您碰巧也遇到这个问题,它也有一些很好的功能来处理多种语言。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.