如何参数化复杂的OleDB查询?
[英]How to parameterize complex OleDB queries?
问题描述
I'm trying to refactor some code that is using strings concatenation for creating SQL commands (which makes it vulnerable for a SQL injection). 
我正在尝试重构一些使用字符串连接来创建SQL命令的代码(这使它容易受到SQL注入的攻击)。 Basically all I'm trying to do is to replace all the string sqlToExecute = String.Format(..) statements with a SQL command and a List of OleDB parameters. 基本上,我要做的就是用SQL命令和OleDB参数列表替换所有string sqlToExecute = String.Format(..)语句。
I understand how this can be done for simple cases like String.Format("Select * from myTable where id = {0}", id) . 我了解如何在String.Format("Select * from myTable where id = {0}", id)类的简单情况下完成此操作。 However, I could not find a set of good examples for more complex SQL queries. 但是,对于复杂的SQL查询,我找不到一组好的示例。
Here are some of the queries that I'm not sure how exactly I can parameterize: 以下是一些不确定参数的查询:
1. Parameters are used for both column name and alias; 1.参数用于列名和别名; Parameter consists of two variables: 参数包含两个变量:
selQueryBldr.AppendFormat("SELECT * FROM {0} {1}
INNER JOIN ColChange CC ON CC.TableRecordID = {1}.{2} and CC.EntityID='{3}'",
entity.StageTableName, stageTableAlias, entity.PrimaryKey, entity.EntityID);
2. Same parameter is used in multiple SQL IN clauses 2.在多个SQL IN子句中使用相同的参数
SQL Query: SQL查询:
SELECT A.TablePrefix ...
FROM Entity E
INNER JOIN App A
ON A.AppID = E.AppID
WHERE E.AppID in (#APPIDS#)
UNION
SELECT A.TablePrefix ...
FROM EntityB EB
INNER JOIN App A
ON A.AppID = EB.AppID
WHERE EB.AppID in (#APPIDS#)
Currently the parameter is added in the code by using String.Replace() method: 当前,使用String.Replace()方法将参数添加到代码中:
sqlQuery = sqlQuery.Replace("#APPIDS#",idList);
3. Using variables as a parameter name and a parameter value: 3.使用变量作为参数名称和参数值:
StringBuilder dataQuery = new StringBuilder("Select * from {0} WHERE {1}='{2}'",
tableName, primaryKey[0], changeRow["TableRecordID"]);
4. Variable used a part of the unicode parameter: 4.变量使用了unicode参数的一部分:
sSQL = string.Format("SELECT name FROM sysobjects WHERE id = object_id(N'[dbo].[{0}]')",
sSPName);
Also, all of these examples are using OleDb classes (OleDbConnection/OleDbCommand etc.), thus as far as I understand named parameters can not be used here. 同样,所有这些示例都使用OleDb类(OleDbConnection / OleDbCommand等),因此据我了解,此处不能使用命名参数。
1 个解决方案
解决方案1
1 2012-03-12 12:13:01
Different back-ends allow (or not) either named parameters, or "?" 不同的后端允许(或不允许)命名参数或“?” place-holders for parameters, so what you would do is build your query something like 参数的占位符,所以您要做的是构建查询,例如
OleDbCommand oCmd = new OleDbCommand( YourConnection, "select * from someTable where yourColumn = ? and otherColumn = ?" );
oCmd.Parameters.AddWithValue( "parm1", YourVariable.FormattedHoweverNeeded );
oCmd.Parameters.AddWithValue( "parm2", anotherVariable.FormattedHoweverNeeded );
If the columns are expecting strings, ensure a string. 如果列需要字符串,请确保字符串。 If expecting numeric (int, double, float, etc), leave as that type too, or other (date/time, etc) 如果期望数字(int,double,float等),则也保留该类型,否则保留其他类型(日期/时间等)
Just note... if not doing named parameters (as I have with "?" place-holder), the parameters must be added in the same sequence as the "?" 只是注意...如果不执行命名参数(如“?”占位符一样),则必须按与“?”相同的顺序添加参数 are placed in the SQL command. 放在SQL命令中。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.