发表新帖
发表新帖

Parameterized dynamic sql query

前端 未结
关注
2 774
日久生厌
日久生厌 2020-12-10 18:33

I have a list of keywords that i store in a list.

To fetch records from a table, am using the following query:

sqlBuilder.Append(\"SELECT name, membe
相关标签:
2条回答
  • 花落未央
    2020-12-10 18:48

    You are doing a few things wrong here:

    • You give all your parameters the same name @searchitem. That won't work. The parameters need unique names.
    • You create a new SqlCommand for each item. That won't work. Create the SqlCommand once at the beginning of the loop and then set CommandText once you are done creating the SQL.
    • Your SQL ends with AND, which is not valid syntax.

    Improvement suggestions (not wrong per se, but not best practice either):

    • As Frederik suggested, the usual way is to put the % tokens in the parameter, rather than doing string concatenation inside the SQL.
    • Unless you explicitly use a case-sensitive collation for your database, comparisons should be case-insensitive. Thus, you might not need the LOWER.

    Code example:

    SqlCommand cmd = new SqlCommand();
StringBuilder sqlBuilder = new StringBuilder();
sqlBuilder.Append("SELECT name, memberid FROM members ");

var i = 1;
foreach (string item in keywords)
{
    sqlBuilder.Append(i == 1 ? " WHERE " : " AND ");
    var paramName = "@searchitem" + i.ToString();
    sqlBuilder.AppendFormat(" Name LIKE {0} ", paramName); 
    cmd.Parameters.AddWithValue(paramName, "%" + item + "%");

    i++;
}
cmd.CommandText = sqlBuilder.ToString();
    0 讨论(0)
  • 暖寄归人
    2020-12-10 19:07

    Do not put the wildcard characters in your querystring, but add them to your parameter-value:

    sql = "SELECT name FROM members WHERE Name LIKE @p_name";
...
cmd.Parameters.AddWithValue("@p_name", "%" + item + "%");

    When you add the wildcard characters inside your query-string, the parameter will be escaped, but the wildcard chars will not; that will result in a query that is sent to the DB that looks like this:

    SELECT name FROM members WHERE Name LIKE %'somename'%

    which is obviously not correct.

    Next to that, you're creating a SqlCommand in a loop which is not necessary. Also, you're creating parameters with a non-unique name, since you're adding them in a loop, and the parameter always has the same name. You also need to remove the last AND keyword, when you exit the loop.

    0 讨论(0)
 看不清?
提交回复
热议问题