Sql命令的存储过程 [英] Stored procedure for Sql Command
本文介绍了Sql命令的存储过程的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我需要以下Sql Command的存储过程代码以及如何在C#中调用存储过程的语法。
代码为:
I need the code of Stored procedure for the following Sql Command and the syntax for how to invoke the stored procedure in C#.
The Code is:
"SELECT * FROM (SELECT ROW_NUMBER() OVER (ORDER BY [index]) AS RowNum, * FROM [Products] WHERE ([manufacturer]='" + cys + "')) sub WHERE RowNum = '"+x+"'"
尽快回复。
Reply needed ASAP.
推荐答案
你好,
看看这里:
http://www.csharp-station.com/Tutorials/AdoDotNet/Lesson07.aspx [ ^ ]
http://msdn.microsoft.com/en-us/library/ms171921%28v=vs.110%29.aspx [ ^ ]
我看到你使用字符串连接来构建查询。切勿使用字符串连接来构建SQL查询!如果您使用它,您的应用程序不受 SQL注入 [ ^ ]!要防止SQL注入,请使用参数化查询:
http://www.dotnetperls.com/sqlparameter [ ^ ]
http://johnhforrest.com/2010/10/parameterized-sql-queries-in-c/ [ ^ ]
http://csharp-station.com/Tutorial/AdoDotNet/Lesson06 [ ^ ]
http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlparameter.aspx [ ^ ]
Hi,
Have a look here:
http://www.csharp-station.com/Tutorials/AdoDotNet/Lesson07.aspx[^]
http://msdn.microsoft.com/en-us/library/ms171921%28v=vs.110%29.aspx[^]
I see that you use string concatenation to build a query. NEVER use string concatenation to build SQL queries! If you use it, your application isn't protected against SQL Injection[^]! To prevent SQL Injection, use parameterized queries:
http://www.dotnetperls.com/sqlparameter[^]
http://johnhforrest.com/2010/10/parameterized-sql-queries-in-c/[^]
http://csharp-station.com/Tutorial/AdoDotNet/Lesson06[^]
http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlparameter.aspx[^]
这篇关于Sql命令的存储过程的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文