sql语句WHERE子句中的Curly Braces [英] Curly Braces in sql statement WHERE clause

问题描述

有人可以解释下面示例中WHERE子句中花括号的使用。



SELECT c.EmployeeID，c.FirstName，c.EmployeeName， c.EmploymentStatus

来自CurrentRecord c

WHERE {0} ='{1}'

Can someone explain the use of the curly braces in the WHERE clause in the example below.

SELECT c.EmployeeID, c.FirstName, c.EmployeeName, c.EmploymentStatus
FROM CurrentRecord c
WHERE {0} = '{1}'

推荐答案

那是无效的SQL。您可能只看到C＃代码的一部分。 {0}和{1}是C＃中的占位符，通常与String.Format一起使用。



C＃可能会将值转储到这些占位符中。

That is not valid SQL. You are likely only seeing a part of C# code. {0} and {1} are placeholders in C# and often used with String.Format.

C# is likely dumping values into those placeholders.

从一开始你的方法就错了。您永远不应该通过连接从UI获取的字符串来创建查询。相反，您需要使用参数化语句。请参阅： http://msdn.microsoft.com/en-us/library/ff648339.aspx。



如果你这样做，你的应用程序完全容易受到众所周知的漏洞利用： SQL注入。用户可以在UI中编写任何内容，包括一些SQL片段。你明白了吗？具体方法如下： http://xkcd.com/327 。



请查看我过去的答案：

在com.ExecuteNonQuery（）中更新EROR; ，

hi姓名没有显示在名称中？。

-SA

Your approach is wrong from the very beginning. You should never create a query by concatenation of string taken from your UI. Instead, you need to use parametrized statements. Please see: http://msdn.microsoft.com/en-us/library/ff648339.aspx.

If you do it your way, you make your application totally vulnerable to a well-known exploit: SQL Injection. The user can write anything in the UI, including some SQL fragment. Are you getting the idea? This is how: http://xkcd.com/327.

Please see my past answers:
EROR IN UPATE in com.ExecuteNonQuery();,
hi name is not displaying in name?.

—SA

这篇关于sql语句WHERE子句中的Curly Braces的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！