如何?参数和LIKE语句SQL [英] Howto? Parameters and LIKE statement SQL
问题描述
我写一个搜索功能,并想出了用参数prevent,或者至少限制,SQL注入攻击此查询。然而,当我运行它通过我的程序,它不返回任何东西:
I am writing a searching function, and have thought up of this query using parameters to prevent, or at least limit, SQL injection attacks. However, when I run it through my program it does not return anything:
SELECT * FROM compliance_corner WHERE(身体LIKE'%@查询%')或(标题LIKE'%@查询%')
能否参数一起使用这个样子?还是仅仅是在一个实例有效,如:
Can parameters be used like this? or are they only valid in an instance such as:
SELECT * FROM compliance_corner WHERE身体LIKE'%<串>%
(其中<串>
是搜索对象)。
SELECT * FROM compliance_corner WHERE body LIKE '%<string>%'
(where <string>
is the search object).
编辑:我是建设有VB.NET这个功能,这是否对你们作出了贡献语法的影响
I am constructing this function with VB.NET, does that have impact on the syntax you guys have contributed?
另外,我跑在SQL Server中的语句: SELECT * FROM compliance_corner WHERE(身体LIKE'%最大值%')或(标题LIKE
%最大%')`并返回结果。
Also, I ran this statement in SQL Server: SELECT * FROM compliance_corner WHERE (body LIKE '%max%') OR (title LIKE
%max%')` and that returns results.
推荐答案
您的Visual Basic code会是这个样子:
Your visual basic code would look something like this:
Dim cmd as New SqlCommand("SELECT * FROM compliance_corner WHERE (body LIKE '%' + @query + '%') OR (title LIKE '%' + @query + '%')")
cmd.Parameters.Add("@query", searchString)
这篇关于如何?参数和LIKE语句SQL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!