2023年6月21日发(作者:)
存储过程中拼接sql并且参数化ALTER PROCEDURE [dbo].[proc_test]( @orderby nvarchar(100) = ' order by id desc ', @userid int, @stime datetime, @etime datetime)ASBEGIN DECLARE @strWhere nvarchar(1000)=''; --where条件 DECLARE @execsql nvarchar(1000); -- 主语句 DECLARE @param nvarchar(1000); -- 参数
-------拼接where条件--------------------------------------------------------------------- if(@userid>0) begin SET @strWhere += ' and [userid] = @userid ' end --'1753/1/1 0:00:00'为时间传过来的默认值,表⽰⽆此筛选条件 if(@stime <> '' and @stime>'1753/1/1 0:00:00') begin SET @strWhere += ' and [time] >= @stime ' end --'1753/1/1 0:00:00'为时间传过来的默认值,表⽰⽆此筛选条件 if(@etime <> '' and @etime>'1753/1/1 0:00:00') begin SET @strWhere += ' and [time] <= @etime ' end
------拼接where条件 end---------------------------------------------------------------------
--查询sql set @execsql = ' SELECT TOP 1000 [id] ,[time] FROM [tradeinfo] WHERE 1 = 1 ' + @strWhere +@orderby;
--参数化处理 set @param =N'@userid int,@stime datetime,@etime datetime'; EXEC _executesql @execsql ,@param, @userid=@userid, @stime =@stime, @etime =@etime
END
c#调⽤如下:SqlParameter[] parameters ={ new SqlParameter("@orderby", r, 30), new SqlParameter("@userid", ,4), new SqlParameter("@stime", me,9), new SqlParameter("@etime", me,9)};parameters[0].Value = " order by id desc ";parameters[1].Value = 0;parameters[2].Value = ;//默认最⼩值:1753/1/1 0:00:00parameters[3].Value = ;//默认最⼩值:1753/1/1 0:00:00var ds = ExecuteNonQuery(Procedure, "proc_test", parameters);
上⾯的存储过程做了参数化处理,可以避免sql注⼊,相⽐直接拼接(SET @strWhere += ' and [userid] = ' +convert(varchar,@userid),然后⽤EXEC()⽅法执⾏),更⾼效、更安全,当然维护起来有点⿇烦,还有⼀点排序的参数@orderby好像没法参数化,以后有更好的⽅法再更新此⽂。
2023年6月21日发(作者:)
存储过程中拼接sql并且参数化ALTER PROCEDURE [dbo].[proc_test]( @orderby nvarchar(100) = ' order by id desc ', @userid int, @stime datetime, @etime datetime)ASBEGIN DECLARE @strWhere nvarchar(1000)=''; --where条件 DECLARE @execsql nvarchar(1000); -- 主语句 DECLARE @param nvarchar(1000); -- 参数
-------拼接where条件--------------------------------------------------------------------- if(@userid>0) begin SET @strWhere += ' and [userid] = @userid ' end --'1753/1/1 0:00:00'为时间传过来的默认值,表⽰⽆此筛选条件 if(@stime <> '' and @stime>'1753/1/1 0:00:00') begin SET @strWhere += ' and [time] >= @stime ' end --'1753/1/1 0:00:00'为时间传过来的默认值,表⽰⽆此筛选条件 if(@etime <> '' and @etime>'1753/1/1 0:00:00') begin SET @strWhere += ' and [time] <= @etime ' end
------拼接where条件 end---------------------------------------------------------------------
--查询sql set @execsql = ' SELECT TOP 1000 [id] ,[time] FROM [tradeinfo] WHERE 1 = 1 ' + @strWhere +@orderby;
--参数化处理 set @param =N'@userid int,@stime datetime,@etime datetime'; EXEC _executesql @execsql ,@param, @userid=@userid, @stime =@stime, @etime =@etime
END
c#调⽤如下:SqlParameter[] parameters ={ new SqlParameter("@orderby", r, 30), new SqlParameter("@userid", ,4), new SqlParameter("@stime", me,9), new SqlParameter("@etime", me,9)};parameters[0].Value = " order by id desc ";parameters[1].Value = 0;parameters[2].Value = ;//默认最⼩值:1753/1/1 0:00:00parameters[3].Value = ;//默认最⼩值:1753/1/1 0:00:00var ds = ExecuteNonQuery(Procedure, "proc_test", parameters);
上⾯的存储过程做了参数化处理,可以避免sql注⼊,相⽐直接拼接(SET @strWhere += ' and [userid] = ' +convert(varchar,@userid),然后⽤EXEC()⽅法执⾏),更⾼效、更安全,当然维护起来有点⿇烦,还有⼀点排序的参数@orderby好像没法参数化,以后有更好的⽅法再更新此⽂。
发布评论