Sql命令的存储过程 [英] Stored procedure for Sql Command

问题描述

我需要以下Sql Command的存储过程代码以及如何在C＃中调用存储过程的语法。

代码为：

I need the code of Stored procedure for the following Sql Command and the syntax for how to invoke the stored procedure in C#.
The Code is:

"SELECT * FROM (SELECT ROW_NUMBER() OVER (ORDER BY [index]) AS RowNum, * FROM [Products] WHERE ([manufacturer]='" + cys + "')) sub WHERE RowNum = '"+x+"'"

尽快回复。

Reply needed ASAP.

推荐答案

你好，



看看这里：

http://www.csharp-station.com/Tutorials/AdoDotNet/Lesson07.aspx [ ^ ]

http://msdn.microsoft.com/en-us/library/ms171921%28v=vs.110%29.aspx [ ^ ]



我看到你使用字符串连接来构建查询。切勿使用字符串连接来构建SQL查询！如果您使用它，您的应用程序不受 SQL注入 [ ^ ]！要防止SQL注入，请使用参数化查询：

http://www.dotnetperls.com/sqlparameter [ ^ ]

http://johnhforrest.com/2010/10/parameterized-sql-queries-in-c/ [ ^ ]

http://csharp-station.com/Tutorial/AdoDotNet/Lesson06 [ ^ ]

http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlparameter.aspx [ ^ ]

Hi,

Have a look here:
http://www.csharp-station.com/Tutorials/AdoDotNet/Lesson07.aspx[^]
http://msdn.microsoft.com/en-us/library/ms171921%28v=vs.110%29.aspx[^]

I see that you use string concatenation to build a query. NEVER use string concatenation to build SQL queries! If you use it, your application isn't protected against SQL Injection[^]! To prevent SQL Injection, use parameterized queries:
http://www.dotnetperls.com/sqlparameter[^]
http://johnhforrest.com/2010/10/parameterized-sql-queries-in-c/[^]
http://csharp-station.com/Tutorial/AdoDotNet/Lesson06[^]
http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlparameter.aspx[^]

这篇关于Sql命令的存储过程的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！