参数化查询
Paramterized Queries
我是 Visual C# 新手,我对如何编写参数化查询感到困惑。这是没有它们的我的代码,
using System;
using System.Windows.Forms;
using System.Data.SqlClient;
namespace Insert_Data
{
public partial class Form1 : Form
{
private void button1_Click(object sender, EventArgs e)
{
SqlConnection con = new SqlConnection("Data Source=ZTABASSUM\SQLEXPRESS01;Initial Catalog=IntroDataBase;Integrated Security=True");
con.Open();
SqlCommand sc = new SqlCommand("Insert into employee values ('"+ textBox1.Text +"' , " + textBox2.Text + ", '" + textBox3.Text + "', " + textBox4.Text + ", " + textBox5.Text + ");", con);
int o = sc.ExecuteNonQuery();
MessageBox.Show(o + ":Record has been inserted");
con.Close();
}
}
}
我不确定如何为每个文本框编写参数化查询。
您应该在 SQL 命令对象上使用创建参数方法
将 SQL 命令中的字符串更改为
"Insert into employee values (@Employee1,@Employee2,@Employee3,@Employee4,@Employee5);"
然后在执行查询之前添加参数:
sc.Parameters.AddRange(new[]{
new SqlParameter("@Employee1",SqlDbType.VarChar,255){ Value= textBox1.Text},
new SqlParameter("@Employee2",SqlDbType.VarChar,255){ Value= textBox2.Text},
new SqlParameter("@Employee3",SqlDbType.VarChar,255){ Value= textBox3.Text},
new SqlParameter("@Employee4",SqlDbType.VarChar,255){ Value= textBox4.Text},
new SqlParameter("@Employee5",SqlDbType.VarChar,255){ Value= textBox5.Text}
});
注意: 这是假设您的 SQL 变量的类型为 VARCHAR,大小为 255,有关正在使用的方法和正在使用的 SqlParameter 构造函数的更多信息,请查看 MSDN 以获取更多文档。
如果您有数据库上下文,您可以这样做:
int rowsAffected = context.
ExecuteStoreCommand("Insert into employee values ({0}, {1}, {2}, {3}, {4})",
textBox1.Text,
textBox2.Text,
textBox3.Text,
textBox4.Text,
textBox5.Text);
MessageBox.Show(rowsAffected + ":Record has been inserted");\
cf https://msdn.microsoft.com/en-us/library/ee358769%28v=vs.100%29.aspx
参数化查询用于避免 sql 注入。不直接包含参数(数据)的查询称为参数化查询。通过使用它,我们可以避免 sql 注入(一种黑客攻击)。
c# 中的参数化查询示例
string strQuery;
SqlCommand cmd;
strQuery = "insert into customers (CustomerID, CompanyName) values(@CustomerID, @CompanyName)";
cmd = new SqlCommand(strQuery);
cmd.Parameters.AddWithValue("@CustomerID", "A234");
cmd.Parameters.AddWithValue("@CompanyName", "DCB");
String strConnString = system.Configuration.ConfigurationManager.ConnectionStrings["conString"].ConnectionString;
SqlConnection con = new SqlConnection(strConnString);
cmd.CommandType = CommandType.Text;
cmd.Connection = con;
try
{
con.Open();
cmd.ExecuteNonQuery();
return true;
}
catch (Exception ex)
{
Response.Write(ex.Message);
return false;
}
finally
{
con.Close();
con.Dispose();
}
..
同样,您也可以使用 for select 查询 ..
参考这个link
请停止使用 AddWithValue,因为它会推断数据库类型(错误)并且在我看来也不是干净的代码。
这里有一些简单的代码可以帮助您入门。
OracleConnection connection = GetConnection();
OracleCommand command = connection.CreateCommand();
command.CommandText = procedure;
command.CommandType = CommandType.StoredProcedure;
command.Parameters.Add("INID", OracleDbType.Int32).Value = person.PersonID;
command.Parameters.Add("REFCURSOR", OracleDbType.RefCursor).Direction = ParameterDirection.Output;
不要介意是Oracle,同样的道理也适用于SQL。
我在代码中添加了注释以及 best practices 之后的回顾。
// best practice - use meaningful method names
private void buttonSaveEmployee_Click(object sender, EventArgs e)
{
// best practice - wrap all database connections in a using block so they are always closed & disposed even in the event of an Exception
// best practice - retrieve the connection string by name from the app.config or web.config (depending on the application type) (note, this requires an assembly reference to System.configuration)
using(SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["MyConnectionName"].ConnectionString))
{
// best practice - use column names in your INSERT statement so you are not dependent on the sql schema column order
// best practice - always use parameters to avoid sql injection attacks and errors if malformed text is used like including a single quote which is the sql equivalent of escaping or starting a string (varchar/nvarchar)
// best practice - give your parameters meaningful names just like you do variables in your code
SqlCommand sc = new SqlCommand("INSERT INTO employee (FirstName, LastName, DateOfBirth /*etc*/) VALUES (@firstName, @lastName, @dateOfBirth /*etc*/)", con);
// best practice - always specify the database data type of the column you are using
// best practice - check for valid values in your code and/or use a database constraint, if inserting NULL then use System.DbNull.Value
sc.Parameters.Add(new SqlParameter("@firstName", SqlDbType.VarChar, 200){Value = string.IsNullOrEmpty(textBoxFirstName.Text) ? (object) System.DBNull.Value : (object) textBoxFirstName.Text});
sc.Parameters.Add(new SqlParameter("@lastName", SqlDbType.VarChar, 200){Value = string.IsNullOrEmpty(textBoxLastName.Text) ? (object) System.DBNull.Value : (object) textBoxLastName.Text});
// best practice - always use the correct types when specifying your parameters, in this case a string is converted to a DateTime type before being assigned to the SqlParameter.Value
// note - this is not a very robust way to parse a date as the user is never notified in the event of failure, the purpose here is simply to show how to use parameters of various types
DateTime dob;
sc.Parameters.Add(new SqlParameter("@dateOfBirth", SqlDbType.Date){Value = DateTime.TryParse(textBoxDateOfBirth.Text, out dob) ? (object) dob : (object) System.DBNull.Value});
// best practice - open your connection as late as possible unless you need to verify that the database connection is valid and wont fail and the proceeding code execution takes a long time (not the case here)
con.Open();
int o = sc.ExecuteNonQuery();
MessageBox.Show(o + ":Record has been inserted");
// the end of the using block will close and dispose the SqlConnection
// best practice - end the using block as soon as possible to release the database connection
}
}
使用 ADO.NET
的最佳实践回顾
- 将所有数据库连接包装在一个 using 块中,以便即使在发生异常时也始终关闭和处置它们。有关使用语句的更多信息,请参阅 using Statement (C# Reference)
- 从 app.config 或 web.config 中按名称检索连接字符串(取决于应用程序类型)
- 这需要对
System.configuration 的程序集引用
- 有关如何构建配置文件的更多信息,请参阅 Connection Strings and Configuration Files
- 始终使用传入值的参数来
- 避免 sql injection 攻击
- 如果使用格式错误的文本(例如包含单引号)避免错误,这相当于 sql 转义或开始字符串 (varchar/nvarchar)
- 让数据库提供者重用查询计划(并非所有数据库提供者都支持)以提高效率
- 使用参数时
- 给你的 Sql 参数有意义的名字,就像你在代码中给变量一样
- 指定您正在使用的列的数据库数据类型,这确保不会使用可能导致意外结果的错误参数类型
- 在将传入参数传递到命令之前验证传入参数,在垃圾输出中有一个称为垃圾的表达式。尽早在堆栈中验证传入值
- 分配参数值时使用正确的类型,例如:不要分配 DateTime 的字符串值,而是将实际的 DateTime 实例分配给参数值
- 不要使用方法AddWithValue, the main reason is it is very easy to forget to specify the parameter type or the precision/scale when needed. For additional information see Can we stop using AddWithValue already?
- 使用数据库连接时
- 尽可能晚打开连接,尽快关闭连接。这是使用任何外部资源时的一般准则
- 永远不要共享数据库连接(例如:让单例主机共享数据库连接)。让您的代码始终在需要时创建一个新的数据库连接实例,然后让调用代码处理它并在完成时 "throw it away" 。这样做的原因是
- 大多数数据库提供程序都有某种连接池,因此在托管代码中这样做非常便宜
- 如果代码开始使用多线程,它会消除任何未来的错误
我是 Visual C# 新手,我对如何编写参数化查询感到困惑。这是没有它们的我的代码,
using System;
using System.Windows.Forms;
using System.Data.SqlClient;
namespace Insert_Data
{
public partial class Form1 : Form
{
private void button1_Click(object sender, EventArgs e)
{
SqlConnection con = new SqlConnection("Data Source=ZTABASSUM\SQLEXPRESS01;Initial Catalog=IntroDataBase;Integrated Security=True");
con.Open();
SqlCommand sc = new SqlCommand("Insert into employee values ('"+ textBox1.Text +"' , " + textBox2.Text + ", '" + textBox3.Text + "', " + textBox4.Text + ", " + textBox5.Text + ");", con);
int o = sc.ExecuteNonQuery();
MessageBox.Show(o + ":Record has been inserted");
con.Close();
}
}
}
我不确定如何为每个文本框编写参数化查询。
您应该在 SQL 命令对象上使用创建参数方法
将 SQL 命令中的字符串更改为
"Insert into employee values (@Employee1,@Employee2,@Employee3,@Employee4,@Employee5);"
然后在执行查询之前添加参数:
sc.Parameters.AddRange(new[]{
new SqlParameter("@Employee1",SqlDbType.VarChar,255){ Value= textBox1.Text},
new SqlParameter("@Employee2",SqlDbType.VarChar,255){ Value= textBox2.Text},
new SqlParameter("@Employee3",SqlDbType.VarChar,255){ Value= textBox3.Text},
new SqlParameter("@Employee4",SqlDbType.VarChar,255){ Value= textBox4.Text},
new SqlParameter("@Employee5",SqlDbType.VarChar,255){ Value= textBox5.Text}
});
注意: 这是假设您的 SQL 变量的类型为 VARCHAR,大小为 255,有关正在使用的方法和正在使用的 SqlParameter 构造函数的更多信息,请查看 MSDN 以获取更多文档。
如果您有数据库上下文,您可以这样做:
int rowsAffected = context.
ExecuteStoreCommand("Insert into employee values ({0}, {1}, {2}, {3}, {4})",
textBox1.Text,
textBox2.Text,
textBox3.Text,
textBox4.Text,
textBox5.Text);
MessageBox.Show(rowsAffected + ":Record has been inserted");\
cf https://msdn.microsoft.com/en-us/library/ee358769%28v=vs.100%29.aspx
参数化查询用于避免 sql 注入。不直接包含参数(数据)的查询称为参数化查询。通过使用它,我们可以避免 sql 注入(一种黑客攻击)。
c# 中的参数化查询示例
string strQuery;
SqlCommand cmd;
strQuery = "insert into customers (CustomerID, CompanyName) values(@CustomerID, @CompanyName)";
cmd = new SqlCommand(strQuery);
cmd.Parameters.AddWithValue("@CustomerID", "A234");
cmd.Parameters.AddWithValue("@CompanyName", "DCB");
String strConnString = system.Configuration.ConfigurationManager.ConnectionStrings["conString"].ConnectionString;
SqlConnection con = new SqlConnection(strConnString);
cmd.CommandType = CommandType.Text;
cmd.Connection = con;
try
{
con.Open();
cmd.ExecuteNonQuery();
return true;
}
catch (Exception ex)
{
Response.Write(ex.Message);
return false;
}
finally
{
con.Close();
con.Dispose();
}
..
同样,您也可以使用 for select 查询 ..
参考这个link
请停止使用 AddWithValue,因为它会推断数据库类型(错误)并且在我看来也不是干净的代码。
这里有一些简单的代码可以帮助您入门。
OracleConnection connection = GetConnection();
OracleCommand command = connection.CreateCommand();
command.CommandText = procedure;
command.CommandType = CommandType.StoredProcedure;
command.Parameters.Add("INID", OracleDbType.Int32).Value = person.PersonID;
command.Parameters.Add("REFCURSOR", OracleDbType.RefCursor).Direction = ParameterDirection.Output;
不要介意是Oracle,同样的道理也适用于SQL。
我在代码中添加了注释以及 best practices 之后的回顾。
// best practice - use meaningful method names
private void buttonSaveEmployee_Click(object sender, EventArgs e)
{
// best practice - wrap all database connections in a using block so they are always closed & disposed even in the event of an Exception
// best practice - retrieve the connection string by name from the app.config or web.config (depending on the application type) (note, this requires an assembly reference to System.configuration)
using(SqlConnection con = new SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings["MyConnectionName"].ConnectionString))
{
// best practice - use column names in your INSERT statement so you are not dependent on the sql schema column order
// best practice - always use parameters to avoid sql injection attacks and errors if malformed text is used like including a single quote which is the sql equivalent of escaping or starting a string (varchar/nvarchar)
// best practice - give your parameters meaningful names just like you do variables in your code
SqlCommand sc = new SqlCommand("INSERT INTO employee (FirstName, LastName, DateOfBirth /*etc*/) VALUES (@firstName, @lastName, @dateOfBirth /*etc*/)", con);
// best practice - always specify the database data type of the column you are using
// best practice - check for valid values in your code and/or use a database constraint, if inserting NULL then use System.DbNull.Value
sc.Parameters.Add(new SqlParameter("@firstName", SqlDbType.VarChar, 200){Value = string.IsNullOrEmpty(textBoxFirstName.Text) ? (object) System.DBNull.Value : (object) textBoxFirstName.Text});
sc.Parameters.Add(new SqlParameter("@lastName", SqlDbType.VarChar, 200){Value = string.IsNullOrEmpty(textBoxLastName.Text) ? (object) System.DBNull.Value : (object) textBoxLastName.Text});
// best practice - always use the correct types when specifying your parameters, in this case a string is converted to a DateTime type before being assigned to the SqlParameter.Value
// note - this is not a very robust way to parse a date as the user is never notified in the event of failure, the purpose here is simply to show how to use parameters of various types
DateTime dob;
sc.Parameters.Add(new SqlParameter("@dateOfBirth", SqlDbType.Date){Value = DateTime.TryParse(textBoxDateOfBirth.Text, out dob) ? (object) dob : (object) System.DBNull.Value});
// best practice - open your connection as late as possible unless you need to verify that the database connection is valid and wont fail and the proceeding code execution takes a long time (not the case here)
con.Open();
int o = sc.ExecuteNonQuery();
MessageBox.Show(o + ":Record has been inserted");
// the end of the using block will close and dispose the SqlConnection
// best practice - end the using block as soon as possible to release the database connection
}
}
使用 ADO.NET
的最佳实践回顾- 将所有数据库连接包装在一个 using 块中,以便即使在发生异常时也始终关闭和处置它们。有关使用语句的更多信息,请参阅 using Statement (C# Reference)
- 从 app.config 或 web.config 中按名称检索连接字符串(取决于应用程序类型)
- 这需要对
System.configuration 的程序集引用
- 有关如何构建配置文件的更多信息,请参阅 Connection Strings and Configuration Files
- 这需要对
- 始终使用传入值的参数来
- 避免 sql injection 攻击
- 如果使用格式错误的文本(例如包含单引号)避免错误,这相当于 sql 转义或开始字符串 (varchar/nvarchar)
- 让数据库提供者重用查询计划(并非所有数据库提供者都支持)以提高效率
- 使用参数时
- 给你的 Sql 参数有意义的名字,就像你在代码中给变量一样
- 指定您正在使用的列的数据库数据类型,这确保不会使用可能导致意外结果的错误参数类型
- 在将传入参数传递到命令之前验证传入参数,在垃圾输出中有一个称为垃圾的表达式。尽早在堆栈中验证传入值
- 分配参数值时使用正确的类型,例如:不要分配 DateTime 的字符串值,而是将实际的 DateTime 实例分配给参数值
- 不要使用方法AddWithValue, the main reason is it is very easy to forget to specify the parameter type or the precision/scale when needed. For additional information see Can we stop using AddWithValue already?
- 使用数据库连接时
- 尽可能晚打开连接,尽快关闭连接。这是使用任何外部资源时的一般准则
- 永远不要共享数据库连接(例如:让单例主机共享数据库连接)。让您的代码始终在需要时创建一个新的数据库连接实例,然后让调用代码处理它并在完成时 "throw it away" 。这样做的原因是
- 大多数数据库提供程序都有某种连接池,因此在托管代码中这样做非常便宜
- 如果代码开始使用多线程,它会消除任何未来的错误