sql语句WHERE子句中的Curly Braces [英] Curly Braces in sql statement WHERE clause
本文介绍了sql语句WHERE子句中的Curly Braces的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
有人可以解释下面示例中WHERE子句中花括号的使用。
SELECT c.EmployeeID,c.FirstName,c.EmployeeName, c.EmploymentStatus
来自CurrentRecord c
WHERE {0} ='{1}'
Can someone explain the use of the curly braces in the WHERE clause in the example below.
SELECT c.EmployeeID, c.FirstName, c.EmployeeName, c.EmploymentStatus
FROM CurrentRecord c
WHERE {0} = '{1}'
推荐答案
那是无效的SQL。您可能只看到C#代码的一部分。 {0}和{1}是C#中的占位符,通常与String.Format一起使用。
C#可能会将值转储到这些占位符中。
That is not valid SQL. You are likely only seeing a part of C# code. {0} and {1} are placeholders in C# and often used with String.Format.
C# is likely dumping values into those placeholders.
从一开始你的方法就错了。您永远不应该通过连接从UI获取的字符串来创建查询。相反,您需要使用参数化语句。请参阅: http://msdn.microsoft.com/en-us/library/ff648339.aspx。
如果你这样做,你的应用程序完全容易受到众所周知的漏洞利用: SQL注入。用户可以在UI中编写任何内容,包括一些SQL片段。你明白了吗?具体方法如下: http://xkcd.com/327 。
请查看我过去的答案:
在com.ExecuteNonQuery()中更新EROR; ,
hi姓名没有显示在名称中?。
-SA
Your approach is wrong from the very beginning. You should never create a query by concatenation of string taken from your UI. Instead, you need to use parametrized statements. Please see: http://msdn.microsoft.com/en-us/library/ff648339.aspx.
If you do it your way, you make your application totally vulnerable to a well-known exploit: SQL Injection. The user can write anything in the UI, including some SQL fragment. Are you getting the idea? This is how: http://xkcd.com/327.
Please see my past answers:
EROR IN UPATE in com.ExecuteNonQuery();,
hi name is not displaying in name?.
—SA
这篇关于sql语句WHERE子句中的Curly Braces的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文