运行 SQL 多参数查询
Run SQL Query With Multiple Parameters
我知道要防止 SQL 注入,您可以使用 @param1 和 @param2 之类的参数——但是当您需要多次传递相同的参数时,您将如何实现?
现在参数将从 winform 上的两个文本框传入。但又是我的?是 C# 如何处理将参数传递到 sql 字符串中的 2 个不同位置?
;WITH CTE AS
(
Select
RTRIM(LTRIM(employeename)) As employeename
,psrti
,nes
FROM helper1
)
Select
[Employee Name] = RTRIM(LTRIM(cte.employeename))
,[days employed] = (Select COUNT([days])
FROM [empinfo] jb
WHERE CAST([hiredate] As Date) BETWEEN @startdate AND @enddate
AND RTRIM(LTRIM(jb.employeename)) = RTRIM(LTRIM(cte.employeename)))
,[terminated emps] = (Select Count(empID) from terminate where termination date between @startdate AND @enddate)
FROM hrfile hr1
RIGHT JOIN CTE cte
ON hr1.employeename = cte.employeename
GROUP BY RTRIM(LTRIM(cte.employeename)),RTRIM(LTRIM(hr1.employeename)),cte.nes
ORDER BY RTRIM(LTRIM(cte.employeename)) ASC
我知道只有第一组参数我会做
string sql = "";;
using (SqlConnection connection = new SqlConnection(/* connection info */))
using (SqlCommand command = new SqlCommand(sql, connection))
{
var param1 = new SqlParameter("param1", SqlDbType.DateTime);
var param2 = new SqlParameter("param2", SqlDbType.DateTime);
param1.Value = txtOne.Text;
param2.Value = txtTwo.Text;
command.Parameters.Add(param1);
command.Parameters.Add(param2);
var results = command.ExecuteReader();
}
即使参数被多次使用,你也这样做(只设置一次参数值)。 C#/ADO.NET 将负责在多个位置用分配的值替换参数。
我知道要防止 SQL 注入,您可以使用 @param1 和 @param2 之类的参数——但是当您需要多次传递相同的参数时,您将如何实现?
现在参数将从 winform 上的两个文本框传入。但又是我的?是 C# 如何处理将参数传递到 sql 字符串中的 2 个不同位置?
;WITH CTE AS
(
Select
RTRIM(LTRIM(employeename)) As employeename
,psrti
,nes
FROM helper1
)
Select
[Employee Name] = RTRIM(LTRIM(cte.employeename))
,[days employed] = (Select COUNT([days])
FROM [empinfo] jb
WHERE CAST([hiredate] As Date) BETWEEN @startdate AND @enddate
AND RTRIM(LTRIM(jb.employeename)) = RTRIM(LTRIM(cte.employeename)))
,[terminated emps] = (Select Count(empID) from terminate where termination date between @startdate AND @enddate)
FROM hrfile hr1
RIGHT JOIN CTE cte
ON hr1.employeename = cte.employeename
GROUP BY RTRIM(LTRIM(cte.employeename)),RTRIM(LTRIM(hr1.employeename)),cte.nes
ORDER BY RTRIM(LTRIM(cte.employeename)) ASC
我知道只有第一组参数我会做
string sql = "";;
using (SqlConnection connection = new SqlConnection(/* connection info */))
using (SqlCommand command = new SqlCommand(sql, connection))
{
var param1 = new SqlParameter("param1", SqlDbType.DateTime);
var param2 = new SqlParameter("param2", SqlDbType.DateTime);
param1.Value = txtOne.Text;
param2.Value = txtTwo.Text;
command.Parameters.Add(param1);
command.Parameters.Add(param2);
var results = command.ExecuteReader();
}
即使参数被多次使用,你也这样做(只设置一次参数值)。 C#/ADO.NET 将负责在多个位置用分配的值替换参数。