在SQL命令对象和C#2.0中使用'IN'运算符 [英] Using an 'IN' operator with a SQL Command Object and C# 2.0
本文介绍了在SQL命令对象和C#2.0中使用'IN'运算符的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我想调用一个sql语句,例如:
I would like to call a sql statement such as:
Select * From Table Where Column in ('value1', 'value2', 'value3')
设置命令参数的值等于 ('value1','value2','value3')
?
Is it as simple as setting a command parameter's value equal to "('value1', 'value2', 'value3')
"?
推荐答案
@Charles:您的方向正确,但是我们使用参数化查询主要是防止SQL注入。将外部值( params string []参数
)硬编码到查询中会带来麻烦。您可以迭代参数,但仍必须使用如下参数:
@Charles: You're going into the right direction, but we're using parametrized queries to mainly prevent SQL injections. Putting 'external' values (params string[] args
) hardcoded in queries is asking for trouble. You can iterate the arguments, but you still have to use parameters like this:
string[] values = new [] {"value1", "value2", "value3", "value4"};
StringBuilder query = new StringBuilder("Select * From Table Where Column in (");
SqlCommand cmd = new SqlCommand();
cmd.Connection = new SqlConnection("Your connection string");
for(int i = 0; i < columns.Length; i++)
{
string arg = string.Format("@arg{0}", i);
cmd.Parameters.AddwithValue(arg, SanatizeSqlString(columns[i]));
sb.AppendFormat("{0}, ", arg);
}
sb = sb.Remove(sb.Length -2, 2);
sb.Append(")");
cmd.CommandText = sb.ToString();
这样,您最终将得到如下查询:
This way you'll end up with a query like:
select * from table where column in (@arg0, @arg1, @arg2, @arg3)
这篇关于在SQL命令对象和C#2.0中使用'IN'运算符的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文