将自定义控件搜索过滤器转换为动态SQL查询 [英] Converting custom controls search filters to dynamic SQL query

问题描述

大家好

您能帮我解决这个问题吗?
有关如何使用逻辑运算符(AND OR)将自定义控件搜索过滤器转换为动态SQL查询的说明

示例自定义控件单击此处

Hi EveryOne

can you help me on this question
on how Converting custom controls search filters to dynamic SQL query with logical operators (AND OR)

Example Custom controls Click Here

推荐答案

这是一个非常常见的问题.

最好使用参数化查询方法创建一组固定的通用"固定查询字符串.
根据查询控件的当前状态，应从集合中选择一个查询并执行参数替换.

请参阅:
http://en.wikipedia.org/wiki/Parameterized_query [ http://msdn.microsoft.com/en-us/library/yy6y35y8.aspx [ ^ ].

有关代码示例，请看一下本教程:
http://www.csharp-station.com/Tutorials/AdoDotNet/Lesson06.aspx [ ^ ].

使用动态查询字符串(例如连接或基于StringBuilder的字符串操作)效率不高，并且由于 SQL注入的可能性而被认为是不安全的.请参阅:
http://en.wikipedia.org/wiki/SQL_injection [

This is a very usual problem.

It would be the best to create a fixed set of "universal" fixed query strings using parametrized query approach.
Depending on the current status of the query control, you should select one of the queries from the set and perform substitution of the parameters.

Please see:
http://en.wikipedia.org/wiki/Parameterized_query[^],
http://msdn.microsoft.com/en-us/library/yy6y35y8.aspx[^].

For a code sample, take a look at this tutorial:
http://www.csharp-station.com/Tutorials/AdoDotNet/Lesson06.aspx[^].

Using a dynamic query string using on string manipulation like concatenation or based on StringBuilder is not efficient and considered unsafe due to the possibility of SQL injection. Please see:
http://en.wikipedia.org/wiki/SQL_injection[^].

—SA

这篇关于将自定义控件搜索过滤器转换为动态SQL查询的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！