Right now I am using the following code to generate the WHERE clause in my query. I have a parameter for the search column (searchColumn) plus another parameter from a checked listbox that I use.
If no item is checked there is no WHERE clause at all.
Is it possible to put this into a parameterized query? For the second part there's most likely a way like searchColumn NOT IN ( ... ) where ... ist the data from an array. Though I am not sure how to handle the case when there's nothing checked at all.
Any thoughts or links on this?
strWhereClause = "";
foreach (object objSelected in clbxFilter.CheckedItems)
{
string strSearch = clbxFilter.GetItemText(objSelected);
if (strWhereClause.Length == 0)
{
strWhereClause += "WHERE (" + searchColumn + " = '" + strSearch + "' "
+ "OR " + searchColumn + " = '" + strSearch + "') ";
}
else
{
strWhereClause += "OR (" searchColumn " = '" + strSearch + "' "
+ "OR " + searchColumn + " = '" + strSearch + "') ";
}
}
It sounds like you're just trying to dynamically build a parameterized query string using C#. You're halfway there with your code - my example below builds up a dictionary with paramter names and parameter values, which you can then use to create SqlParamter
s. One thing I'm not 100% sure about is where searchColumn is coming from - is this generated from user input? That could be dangerous, and parameterizing that would require using some dynamic SQL and probably some validation on your part.
strWhereClause = "";
Dictionary<string, string> sqlParams = new Dictionary<string, string>();
int i = 1;
string paramName= "@p" + i.ToString(); // first iteration: "@p1"
foreach (object objSelected in clbxFilter.CheckedItems)
{
string strSearch = clbxFilter.GetItemText(objSelected);
if (strWhereClause.Length == 0)
{
strWhereClause += "WHERE (thisyear." + strKB + " = @p1 OR " + searchColumn + " = @p1) ";
sqlParams.Add(paramName, strSearch);
i = 2;
}
else
{
paramName = "@p" + i.ToString(); // "@p2", "@p3", etc.
strWhereClause += "OR (" searchColumn " = " + paramName + " "OR " + searchColumn + " = " + paramName + ") ";
sqlParams.Add(paramName, strSearch);
i++;
}
}
Then, when parameterizing your query, just loop through your dictionary.
if (sqlParams.Count != 0 && strWhereclause.Length != 0)
{
foreach(KeyValuePair<string, string> kvp in sqlParams)
{
command.Parameters.Add(new SqlParamter(kvp.Name, SqlDbType.VarChar) { Value = kvp.Value; });
}
}
For reference only:
string strWhereClause;
string searchColumn;
string strKB;
SqlCommand cmd = new SqlCommand();
private void button1_Click(object sender, EventArgs e)
{
strWhereClause = "";
int ParmCount = 0;
foreach (object objSelected in clbxFilter.CheckedItems)
{
string strSearch = clbxFilter.GetItemText(objSelected);
ParmCount += 1;
string strParamName = "@Param" + ParmCount.ToString(); //Param1→ParamN
cmd.Parameters.Add(strParamName, SqlDbType.NVarChar);
cmd.Parameters[strParamName].Value = strSearch;
if (strWhereClause.Length == 0)
{
strWhereClause += "WHERE (thisyear." + strKB + " = " + strParamName + " "
+ "OR " + searchColumn + " = " + strParamName + ") ";
}
else
{
strWhereClause += "OR (thisyear." + strKB + " = " + strParamName + " "
+ "OR " + searchColumn + " = " + strParamName + ") ";
}
}
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.