问题描述
当我正在看书学习C#(可能是一些老的的Visual Studio 2005
书)我遇到的意见总是使用的SqlCommand。 prepare
每次我执行SQL调用(无论其一个 SELECT
/ 更新
或插入
上的SQL Server 2005/2008),我向它传递参数。 但是否真的如此?
When i was reading books to learn C# (might be some old Visual Studio 2005
books) I've encountered advice to always use SqlCommand.Prepare
everytime I execute SQL call (whether its' a SELECT
/UPDATE
or INSERT
on SQL SERVER 2005/2008) and I pass parameters to it. But is it really so?
-
如果不能做到每次都?或者只是有时候?
Should it be done every time? Or just sometimes?
不要紧,无论是传递一个参数或五或二十?
Does it matter whether it's one parameter being passed or five or twenty?
应该给如有什么提升?难道是明显在所有(我一直在使用的SqlCommand。prepare
这里跳过它那里,从未发生过任何问题或明显的差异)。
What boost should it give if any? Would it be noticeable at all (I've been using SqlCommand.Prepare
here and skipped it there and never had any problems or noticeable differences).
有关问题,这是我一贯的code,我使用的缘故,而这更是一个普遍的问题的。
For the sake of the question this is my usual code that I use, but this is more of a general question.
public static decimal pobierzBenchmarkKolejny(string varPortfelID, DateTime data, decimal varBenchmarkPoprzedni, decimal varStopaOdniesienia) {
const string preparedCommand = @"SELECT [dbo].[ufn_BenchmarkKolejny](@varPortfelID, @data, @varBenchmarkPoprzedni, @varStopaOdniesienia) AS 'Benchmark'";
using (var varConnection = Locale.sqlConnectOneTime(Locale.sqlDataConnectionDetailsDZP)) //if (varConnection != null) {
using (var sqlQuery = new SqlCommand(preparedCommand, varConnection)) {
sqlQuery.Prepare();
sqlQuery.Parameters.AddWithValue("@varPortfelID", varPortfelID);
sqlQuery.Parameters.AddWithValue("@varStopaOdniesienia", varStopaOdniesienia);
sqlQuery.Parameters.AddWithValue("@data", data);
sqlQuery.Parameters.AddWithValue("@varBenchmarkPoprzedni", varBenchmarkPoprzedni);
using (var sqlQueryResult = sqlQuery.ExecuteReader())
if (sqlQueryResult != null) {
while (sqlQueryResult.Read()) {
}
}
}
}
补充说明:
如果我移动的SQLQuery。prepare()
象异常低于code被抛出的大小必须明确声明,这基本上使我要以为有的SQLQuery。prepare()
作为第一个使得它没用?用我的例子有人可以显示正确的使用情况如何?
If i move sqlQuery.Prepare()
like in code below exception is thrown that the size has to be explicitly declared, which basically leads me to thinking that having sqlQuery.Prepare()
as first makes it useless? Can someone show the proper usage using my example?
public static decimal pobierzBenchmarkKolejny(string varPortfelID, DateTime data, decimal varBenchmarkPoprzedni, decimal varStopaOdniesienia) {
const string preparedCommand = @"SELECT [dbo].[ufn_BenchmarkKolejny](@varPortfelID, @data, @varBenchmarkPoprzedni, @varStopaOdniesienia) AS 'Benchmark'";
using (var varConnection = Locale.sqlConnectOneTime(Locale.sqlDataConnectionDetailsDZP)) //if (varConnection != null) {
using (var sqlQuery = new SqlCommand(preparedCommand, varConnection)) {
sqlQuery.Parameters.AddWithValue("@varPortfelID", varPortfelID);
sqlQuery.Parameters.AddWithValue("@varStopaOdniesienia", varStopaOdniesienia);
sqlQuery.Parameters.AddWithValue("@data", data);
sqlQuery.Parameters.AddWithValue("@varBenchmarkPoprzedni", varBenchmarkPoprzedni);
sqlQuery.Prepare();
using (var sqlQueryResult = sqlQuery.ExecuteReader())
if (sqlQueryResult != null) {
while (sqlQueryResult.Read()) {
}
}
}
}
我会怎么做呢?通过添加.size旁边的参数和做varPortfel.Lenght如果它是一个字符串,等等?
How would I do that? By adding .size next to parameters and doing varPortfel.Lenght if it's a string etc?
推荐答案
从MSDN文档:
在你打电话prepare,指定
在每个参数的数据类型
声明是prepared。对于每一个
具有可变长度参数
数据类型,就必须设置大小
属性到所需要的最大尺寸。
prepare返回,如果这些错误
条件不具备。
如果你调用后执行的方法
调用prepare,任何参数值
比该值大
由Size属性指定为
自动截断到
的原始指定大小
参数,并没有截断误差
被返回。
If you call an Execute method after calling Prepare, any parameter value that is larger than the value specified by the Size property is automatically truncated to the original specified size of the parameter, and no truncation errors are returned.
输出参数($ P $是否ppared或
不)必须有一个用户指定的数据
类型。如果指定了可变长度
数据类型,您还必须指定
最大尺寸。
Output parameters (whether prepared or not) must have a user-specified data type. If you specify a variable length data type, you must also specify the maximum Size."
此外,如果将CommandType
属性设置为TableDirect,
prepare什么都不做。如果的CommandType
设置为StoredProcedure,调用
prepare应该会成功,...
Furthermore, "If the CommandType property is set to TableDirect, Prepare does nothing. If CommandType is set to StoredProcedure, the call to Prepare should succeed, ..."
这一般是用来确保最终用户没有使用SQL注入技术来添加或删除信息,你不希望他们太从数据库中。
This in general is used to make sure that the end user is not using a SQL Injection technique to add or remove information you do not want them too from the database.
我看着它,并检查了这篇文章<一个href=\"http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlcommand.$p$ppare.aspx\">http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlcommand.$p$ppare.aspx.你的问题是你需要定义参数才能运行。prepare(),然后设置参数运行后。prepare()。现在你在做前两种。我会尝试这样的事情(注意我没有测试它,所以我的语法可能有点过)。
I looked into it and check out this article http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlcommand.prepare.aspx. Your issue is you need to define your parameters before you run .Prepare() and then set your parameters after you run .Prepare(). Right now you are doing both before. I would try something like this (Note I didn't test it so my syntax might be a bit off).
public static decimal pobierzBenchmarkKolejny(string varPortfelID, DateTime data, decimal varBenchmarkPoprzedni, decimal varStopaOdniesienia) {
const string preparedCommand = @"SELECT [dbo].[ufn_BenchmarkKolejny](@varPortfelID, @data, @varBenchmarkPoprzedni, @varStopaOdniesienia) AS 'Benchmark'";
using (var varConnection = Locale.sqlConnectOneTime(Locale.sqlDataConnectionDetailsDZP)) //if (varConnection != null) {
using (var sqlQuery = new SqlCommand(preparedCommand, varConnection)) {
sqlQuery.Parameters.Add("@varPortfelID");
sqlQuery.Parameters.Add("@varStopaOdniesienia");
sqlQuery.Parameters.Add("@data");
sqlQuery.Parameters.Add("@varBenchmarkPoprzedni");
sqlQuery.Prepare();
sqlQuery.ExecuteNonQuery();//This might need to be ExecuteReader()
sqlQuery.Parameters[0].Value = varPortfelID;
sqlQuery.Parameters[1].Value = varStopaOdniesienia;
sqlQuery.Parameters[2].Value = data;
sqlQuery.Parameters[3].Value = varBenchmarkPoprzedni;
using (var sqlQueryResult = sqlQuery.ExecuteReader())
if (sqlQueryResult != null) {
while (sqlQueryResult.Read()) {
}
}
}
}
这篇关于优点和缺点在C#中使用的SqlCommand prepare的?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!