![nonqueryCommand1]( "nonqueryCommand1")
本文介绍了使用like命令进行参数化SQL选择的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧! 问题描述 我想在我的select命令中使用参数来使我的项目免于sql注入我的sql select命令包含一个"like"命令 我找不到任何显示如何做这样的事情的样本,这是我能想到的: Dim strSQLQuery As String = " select column_id from table_searchenteries where(column_StdFamily like @ strFamilyNameReverseFirst6%)" Dim nonqueryCommand1 As SqlCommand = objDatabase 。MainConnection.CreateCommand() nonqueryCommand1.CommandText = strSQLQuery nonqueryCommand1.Parameters.Add(QUOT; @ strFamilyNameReverseFirst6" ;, SqlDbType.NVarChar,100) 结果 nonqueryCommand1.Prepare() nonqueryCommand1.Parameters(" @ strFamilyNameReverseFirst6")。Value = objPerson 。strFamilyNameReverseFirst6 Dim reader As SqlDataReader = nonqueryCommand1 。ExecuteReader() 解决方案 试试这个 comm 。 CommandText = " select table_searchenteries中的column_id where(column_StdFamily like" &安培; _ " @ strFamilyNameReverseFirst6 +'%')" 如需进一步参考,请查看此链接 http://stackoverflow.com/questions/303149/parameterized-queries-with-like-and-in-conditions 结果 I want to use parameters in my select command to immune my project to sql injectionMy sql select command includes a "like" commandI couldn't find any samples that shows how to do such a thing,Here is what I could come up with: Dim strSQLQuery As String = "select column_id from table_searchenteries where (column_StdFamily like @strFamilyNameReverseFirst6%)" Dim nonqueryCommand1 As SqlCommand = objDatabase.MainConnection.CreateCommand() nonqueryCommand1.CommandText = strSQLQuery nonqueryCommand1.Parameters.Add("@strFamilyNameReverseFirst6", SqlDbType.NVarChar, 100) nonqueryCommand1.Prepare() nonqueryCommand1.Parameters("@strFamilyNameReverseFirst6").Value = objPerson.strFamilyNameReverseFirst6 Dim reader As SqlDataReader = nonqueryCommand1.ExecuteReader() 解决方案 Hi,Try this comm.CommandText = "select column_id from table_searchenteries where (column_StdFamily like " & _ " @strFamilyNameReverseFirst6 + '%')"For further reference please check this linkhttp://stackoverflow.com/questions/303149/parameterized-queries-with-like-and-in-conditions 这篇关于使用like命令进行参数化SQL选择的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持! 09-27 04:18