C# 动态组合SQL脚本LIKE语句及查询参数防SQL注入攻击
![](http://www.csframework.com/images/article-type5.gif)
![C# 动态组合SQL脚本LIKE语句及查询参数防SQL注入攻击 C# 动态组合SQL脚本LIKE语句及查询参数防SQL注入攻击](http://www.csframework.com/images/seo/SEO-%E8%BD%AF%E4%BB%B6%E5%BC%80%E5%8F%91.jpg)
动态组合SQL脚本的多个LIKE条件,并要求传入SQL参数防止SQL注入攻击。
![贴图图片-动态组合SQL脚本LIKE语句查询参数](http://www.csframework.com/upload/image/动态组合SQL脚本LIKE语句查询参数.png)
动态组合的SQL脚本:
![贴图图片-动态组合SQL脚本LIKE语句查询参数1(1)](http://www.csframework.com/upload/image/%E5%8A%A8%E6%80%81%E7%BB%84%E5%90%88SQL%E8%84%9A%E6%9C%ACLIKE%E8%AF%AD%E5%8F%A5%E6%9F%A5%E8%AF%A2%E5%8F%82%E6%95%B01(1).png)
参考代码1:
C# Code:
public DataTable Search(String DocType, String DeptID, String FileCaption, String DocKind)
{
//构建CommandHelper实例,用于动态创建参数对象
CommandHelper cmd = _Database.CreateCommand("");
StringBuilder sb = new StringBuilder();
sb.Append("SELECT * FROM dt_doc WHERE 1=1 ");
if (!String.IsNullOrEmpty(DocType))
{
sb.Append($" AND DocType LIKE {_Database.ParamSymboName}DocType");//拼接SQL参数
cmd.AddParam("DocType", "%" + DocType + "%");// 添加SQL参数对象,组合LIKE条件的值
}
if (!String.IsNullOrEmpty(DeptID))
{
sb.Append($" AND DeptID LIKE {_Database.ParamSymboName}DeptID");
cmd.AddParam("DeptID", "%" + DeptID + "%");
}
if (!String.IsNullOrEmpty(FileCaption))
{
sb.Append($" AND FileCaption LIKE {_Database.ParamSymboName}FileCaption");
cmd.AddParam("FileCaption", "%" + FileCaption + "%");
}
//数字类型
if (!String.IsNullOrEmpty(DocKind))
{
sb.Append($" AND DocKind = {_Database.ParamSymboName}DocKind");
cmd.AddParam("DocKind", DocKind);
}
sb.Append(" ORDER BY " + dt_Doc.__KeyName);
//给DbCommand绑定SQL脚本
DbCommand command = cmd.Command;
command.CommandText = sb.ToString();
//调用IDatabase底层组件的方法
return _Database.GetTable(command, dt_Doc.__TableName);
}
//来源:C/S框架网 | www.csframework.com | QQ:23404761
public DataTable Search(String DocType, String DeptID, String FileCaption, String DocKind)
{
//构建CommandHelper实例,用于动态创建参数对象
CommandHelper cmd = _Database.CreateCommand("");
StringBuilder sb = new StringBuilder();
sb.Append("SELECT * FROM dt_doc WHERE 1=1 ");
if (!String.IsNullOrEmpty(DocType))
{
sb.Append($" AND DocType LIKE {_Database.ParamSymboName}DocType");//拼接SQL参数
cmd.AddParam("DocType", "%" + DocType + "%");// 添加SQL参数对象,组合LIKE条件的值
}
if (!String.IsNullOrEmpty(DeptID))
{
sb.Append($" AND DeptID LIKE {_Database.ParamSymboName}DeptID");
cmd.AddParam("DeptID", "%" + DeptID + "%");
}
if (!String.IsNullOrEmpty(FileCaption))
{
sb.Append($" AND FileCaption LIKE {_Database.ParamSymboName}FileCaption");
cmd.AddParam("FileCaption", "%" + FileCaption + "%");
}
//数字类型
if (!String.IsNullOrEmpty(DocKind))
{
sb.Append($" AND DocKind = {_Database.ParamSymboName}DocKind");
cmd.AddParam("DocKind", DocKind);
}
sb.Append(" ORDER BY " + dt_Doc.__KeyName);
//给DbCommand绑定SQL脚本
DbCommand command = cmd.Command;
command.CommandText = sb.ToString();
//调用IDatabase底层组件的方法
return _Database.GetTable(command, dt_Doc.__TableName);
}
//来源:C/S框架网 | www.csframework.com | QQ:23404761
参考代码2:
C# Code:
public DataTable Search(string content)
{
string sql = "SELECT * FROM tb_MyUser ";
CommandHelper cmd = _Database.CreateCommand("");
if (!string.IsNullOrEmpty(content))
{
sql = sql + $" WHERE Account LIKE {_Database.ParamSymboName}Account OR UserName LIKE {_Database.ParamSymboName}UserName ";
cmd.AddParam("Account", "%" + content + "%");
cmd.AddParam("UserName", "%" + content + "%");
}
cmd.Command.CommandText = sql;
DataTable dt = _Database.GetTable(cmd.Command, tb_MyUser.__TableName);
return dt;
}
//来源:C/S框架网 | www.csframework.com | QQ:23404761
{
string sql = "SELECT * FROM tb_MyUser ";
CommandHelper cmd = _Database.CreateCommand("");
if (!string.IsNullOrEmpty(content))
{
sql = sql + $" WHERE Account LIKE {_Database.ParamSymboName}Account OR UserName LIKE {_Database.ParamSymboName}UserName ";
cmd.AddParam("Account", "%" + content + "%");
cmd.AddParam("UserName", "%" + content + "%");
}
cmd.Command.CommandText = sql;
DataTable dt = _Database.GetTable(cmd.Command, tb_MyUser.__TableName);
return dt;
}
//来源:C/S框架网 | www.csframework.com | QQ:23404761
![C/S框架网|原创精神.创造价值.打造精品](http://www.csframework.com/images/our03.gif)
扫一扫加作者微信
![C/S框架网作者微信](http://www.csframework.com/images/wechatcode.jpg)
![C/S框架网|原创作品.质量保障.竭诚为您服务](http://www.csframework.com/images/CS框架网提供高效优质服务.jpg)
版权声明:本文为开发框架文库发布内容,转载请附上原文出处连接
NewDoc C/S框架网