[英]how do I pass a database NULL value to a string variable?
基本上,如果参数作为NULL传入,我想将其作为数据库NULL发送到数据库。 这样(请看下面的代码内的注释):
[HttpPost]
public void UpdateTitle(Title title)
{
string query = null;
string description = "";
string episodeAKA = "";
if (title.Description != null)
{
description = "'" + title.Description + "'";
}
else
{
//here's where description should be a DBNULL.
}
if (title.EpisodeAKA == null)
{
title.EpisodeAKA = "NULL";
}
myConnection.Open();
if (title.Operation == 'U')
{
query = "UPDATE dbo.AWD_Titles SET AwardStatusId = " + title.AwardStatus + ", Description = " + description + ", IsVerified = " + title.IsVerified + ", EpisodeAKA = '" + title.EpisodeAKA + "' WHERE AwardTitleId = " + title.AwardTitleId + " SELECT SCOPE_IDENTITY()";
}
var cmd = new SqlCommand(query, myConnection);
cmd.ExecuteScalar();
myConnection.Close();
}
}
这是标题的课程:
public class Title
{
public int AwardTitleId
{
get;
set;
}
public int AwardStatus
{
get;
set;
}
public int IsVerified
{
get;
set;
}
public string EpisodeAKA
{
get;
set;
}
public string Description
{
get;
set;
}
public char Operation
{
get;
set;
}
}
原始代码有几个基本错误。 这演示了如何正确执行操作 ,包括如何设置DBNull:
[HttpPost]
public void UpdateTitle(Title title)
{
string query;
if (title.Operation == 'U')
{
query =
"UPDATE dbo.AWD_Titles" +
" SET AwardStatusId = @AwardStatusID , Description = @Description , IsVerified= @IsVerified , EpisodeAKA= @EpisodeAKA" +
" WHERE AwardTitleId= @AwardTitleId ;" +
" SELECT SCOPE_IDENTITY();";
} else {
query="";
//presumably you have a slightly different query string for inserts.
//Thankfully, they should have pretty much the same set of parameters.
//If this method will really only be called for updates, the code is quite a bit simpler
}
//instead of a shared myConnection object, use a shared connection string.
// .Net is set up so that you should be creating a new connection object for most queries.
// I know it sounds backwards, but that's really the right way to do it.
// Create the connection in a using(){} block, so that you guarantee it is
// disposed correctly, even if an exception is thrown.
using (var cn = new SqlConnection(myConnectionString))
using (var cmd = new SqlCommand(query, cn))
{
//guessing at database types, lengths here. Fix with actual column types
cmd.Parameters.Add("@AwardStatusId", SqlDbType.Int).Value = title.AwardStatus;
cmd.Parameters.Add("@Description", SqlDbType.NVarChar, 250).Value = title.Description;
cmd.Parameters.Add("@IsVerified", SqlDbType.Bit).Value = title.IsVerified;
cmd.Parameters.Add("@EpisodeAKA", SqlDbType.NVarChar, 100).Value = title.EpisodeAKA;
cmd.Parameters.Add("@AwardTitleId", SqlDbType.Int).Value = title.AwardTitleId;
//-------------
//This is the part that actually answers your question
foreach (var p in cmd.Parameters.Where(p => p.Value == null))
{
p.Value = DBNull.Value;
}
//-------------
cn.Open();
cmd.ExecuteScalar();
}
}
好了,有了您的代码,您可以在SQL代码中使用null
:
description = "null";
但是,您实际上应该使用参数化查询,而不是将值连接到SQL代码中。 如果任何数据来自用户输入,则您的代码很容易受到SQL注入攻击的影响。
对于参数值,请将DBNull.Value
用作空值,因此保存该参数的变量必须是一个对象:
object description;
if (title.Description != null) {
description = title.Description;
} else {
description = DBNull.Value;
}
现在,您可以在SqlParameter
对象中使用该值。
好的,首先是第一件事。 您的代码要求进行SQL注入攻击。 使用参数化查询 。
问题本身。 如果您想要的是数据库NULL,则需要传递值DBNull.Value。 您可以使用一个辅助函数, 将您的字符串转换为适当的值。
private object ConvertToDbReadyString(string value)
{
if(value=="NULL")
return DBNull.Value;
else
return value;
}
if (title.Description != null)
{
description = "'" + title.Description + "'";
}
else
{
//here's where description should be a DBNULL.
}
试试这个:
description = title.Description ?? string.Empty;
string variableValue == string.IsNullOrEmpty(stringValue) ? null : "Hello";
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.