将一组值发送到 Oracle 过程以在 WHERE IN 子句中使用 [英] Sending an array of values to Oracle procedure to use in WHERE IN clause
问题描述
我在 Oracle 中有一个存储过程,如下所示:
I have a stored procedure in Oracle as shown below:
CREATE PROCEDURE MY_TEST_PROC(
CUR OUT SYS_REFCURSOR,
PARAM_THAT_WILL_BE _USED_INSIDE_WHERE_IN
)
AS
BEGIN
OPEN CUR FOR
SELECT *
FROM MY_TABLE
WHERE COL1 IN (here I want to put values received from C#)
END;
在 ASP.NET 应用程序端,我有一个带有多个选项的 select 元素.我想在我的 WHERE 子句中使用这些列表项.我知道我可以在我的存储过程中有一个 VARCHAR2 输入参数,从列表项中创建一个逗号分隔的字符串,将它发送到过程.这样做有两个问题:
On the ASP.NET application side I have a select element with several options. I want to use these list items in my WHERE clause. I know that I can have a VARCHAR2 input parameter in my stored proc, make a comma separated string from the list items, send it to the procedure. There are two concerns with going this way:
- 我让我的网站容易受到 SQL 注入
- 在我的存储过程中,我必须使用我想避免的 EXECUTE ('SELECT ...') 模式.
如何将这些列表项发送到存储过程并在 WHERE IN 子句中使用它们?我正在使用 ODP.NET 并且听说过 UDT 但不知道如何使用它.
How can I send these list items to the stored procedure and use them inside the WHERE IN clause? I'm using ODP.NET and have heard of UDT but don't know how to use it.
推荐答案
您可以将此逗号分隔的输入参数添加为 varchar() 并使用以下 where 语句:
You can add this comma separated input parameter as a varchar() and use following where statement:
where (','||PARAM_THAT_WILL_BE||',' like '%,'||COL1||',%')
例如如果 PARAM_THAT_WILL_BE='2,3,4,5' 和 col1=3 我们得到:
for example if PARAM_THAT_WILL_BE='2,3,4,5' and col1=3 we get:
where (',2,3,4,5,' like '%,3,%')
如果 COL1 值在此列表中,则为 TRUE.在这里,您不使用动态查询,因此您可以避免关注 1) 和 2).
and it's TRUE if COL1 value is in this list. Here you don't use a dynamic query so you avoid concerns 1) and 2).
这篇关于将一组值发送到 Oracle 过程以在 WHERE IN 子句中使用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
