如何在C#函数中将Null或String传递给参数? [英] How Can I Pass Null Or String To Parameter In C# Function?
问题描述
public 列表<学生> function( string a, string b)
{
using (SqlConnection con = new SqlConnection(conStr))
{
SqlCommand cmd = new SqlCommand();
cmd.CommandText = 从学生中选择姓名,班级,地址name =' + a + 'and class =' + b + ';
cmd.Connection = con;
con.Open();
SqlDataReader dr = cmd.ExecuteReader();
列表<学生> DataObject = new List< Students>();
while (dr.Read())
{
学生o = 新学生();
o.Name = dr [ 名称]。ToString() ;
o.Class = dr [ Class]。ToString();
o.Address = dr [ Address]。ToString();
DataObject .Add(o);
}
return DataObject;
}
我需要使用这个功能,例如,
函数(a,b);它应该得到特定的学生。
函数(null,null)它应该让所有学生。
< blockquote>正如我所看到的,你的问题是如何构建一个具有复杂WHERE子句的SQL语句...
你的SQL - 最后 - 应该看起来像这样:
SELECT NAME,CLASS,ADDRESS FROM 学生 WHERE ( @ A IS NULL OR NAME = @ A ) AND ( @ B IS NULL 或 CLASS = @ B )
要执行此类查询,您需要了解如何使用我们在C#中进行参数化查询(并且永远不要使用字符串连接来创建!!!)
SqlCommand.Parameters Property(System.Data.SqlClient) [ ^ ]
< blockquote>你的方法从一开始就是错误的。通过串联从UI获取的字符串组成的查询。不仅重复的字符串连接是低效的(因为字符串是不可变的;我是否必须解释为什么它会使重复连接变坏?),但是有更重要的问题:它打开了通向良好的大门已知的漏洞称为 SQL注入。
这是它的工作原理: http://xkcd.com/327 。
你明白了吗?从控件中获取的字符串可以是任何东西,包括......一段SQL代码。
怎么办?只需阅读有关此问题和主要补救措施:参数化语句: http://en.wikipedia.org/ wiki / SQL_injection 。
使用ADO.NET,使用:http://msdn.microsoft.com/en-us/library/ff648339.aspx 。
请参阅我过去的答案有更多细节:
在com.ExecuteNonQuery中更新EROR( ); ,
嗨名字没有显示名称?。
至于你原来的问题,我不知道什么可能引起任何混淆。请参阅我对该问题的评论:如果学生或班级为空,您没有解释该做什么,而另一个参数不为空。此外,这些参数中的任何一个都可以是空字符串或任何与任何类无关的任何参数。
您所需要的只是精确地制定规则并针对不同的案例进行不同的查询。
public List< students> function( string a, string b)
{
List< students> DataObject = new List< students>();
使用(SqlConnection con = new SqlConnection(conStr))
{
SqlCommand cmd = new SqlCommand();
if ( string .IsNullOrEmpty(a)&& string .IsNullOrEmpty(b))
cmd.CommandText = 选择名称,班级,来自学生的地址;
else
cmd.CommandText = 从学生中选择姓名,班级,地址,其中name =' + a + '和class = ' + b + ';
cmd.Connection = con;
con.Open();
SqlDataReader dr = cmd.ExecuteReader();
while (dr.Read())
{
学生o = 新学生();
o.Name = dr [ 名称]。ToString() ;
o.Class = dr [ Class]。ToString();
o.Address = dr [ Address]。ToString();
DataObject.Add(o);
}
}
return DataObject;
} < / 学生 > < / 学生 > < / 学生 >
但实际上你应该使用参数而不是name ='+ a +'和class ='+ b +'
public List<Students> function(string a,string b)
{
using (SqlConnection con = new SqlConnection(conStr))
{
SqlCommand cmd = new SqlCommand();
cmd.CommandText = "select name,class,address from students where name='"+a+"' and class='"+b+"'";
cmd.Connection = con;
con.Open();
SqlDataReader dr = cmd.ExecuteReader();
List<Students> DataObject = new List<Students>();
while (dr.Read())
{
Students o = new Students();
o.Name= dr["Name"].ToString();
o.Class= dr["Class"].ToString();
o.Address= dr["Address"].ToString();
DataObject .Add(o);
}
return DataObject;
}
I need to use this function like,
function(a,b); it should get the specific student.
function(null,null) it should get all students.
As I see, your problem is how to built an SQL statement that has complex WHERE clause...
You SQL - at the end - should look somethng like this:
SELECT NAME, CLASS, ADDRESS FROM STUDENTS WHERE (@A IS NULL OR NAME = @A) AND (@B IS NULL OR CLASS = @B)
To execute such query you need to learn how to use parameterized queries in C# (and never use string concatenation to create that!!!)
SqlCommand.Parameters Property (System.Data.SqlClient)[^]
Your approach is wrong from the very beginning. The query composed by concatenation with strings taken from UI. Not only repeated string concatenation is inefficient (because strings are immutable; do I have to explain why it makes repeated concatenation bad?), but there is way more important issue: it opens the doors to a well-known exploit called SQL injection.
This is how it works: http://xkcd.com/327.
Are you getting the idea? The string taken from a control can be anything, including… a fragment of SQL code.
What to do? Just read about this problem and the main remedy: parametrized statements: http://en.wikipedia.org/wiki/SQL_injection.
With ADO.NET, use this: http://msdn.microsoft.com/en-us/library/ff648339.aspx.
Please see my past answers for some more detail:
EROR IN UPATE in com.ExecuteNonQuery();,
hi name is not displaying in name?.
As to your original question, I have no idea what could possibly cause any confusion. Please see my comment to the question: you did not explain what to do if student or class is null, and the other argument is not null. Besides, any of those parameters can be empty string or anything not related to any class.
All you need is to formulate the rule precisely and make different queries for different cases.
—SA
public List<students> function(string a,string b) { List<students> DataObject = new List<students>(); using (SqlConnection con = new SqlConnection(conStr)) { SqlCommand cmd = new SqlCommand(); if(string.IsNullOrEmpty(a) && string.IsNullOrEmpty(b)) cmd.CommandText = "select name,class,address from students"; else cmd.CommandText = "select name,class,address from students where name='"+a+"' and class='"+b+"'"; cmd.Connection = con; con.Open(); SqlDataReader dr = cmd.ExecuteReader(); while (dr.Read()) { Students o = new Students(); o.Name= dr["Name"].ToString(); o.Class= dr["Class"].ToString(); o.Address= dr["Address"].ToString(); DataObject.Add(o); } } return DataObject; }</students></students></students>
But really you should use parameters instead ofname='"+a+"' and class='"+b+"'
这篇关于如何在C#函数中将Null或String传递给参数?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
