Asp.net core 如何在循环中添加简洁的查询参数
在循环中为dapper添加查询参数时,如下所示:Asp.net core 如何在循环中添加简洁的查询参数,asp.net-core,dapper,Asp.net Core,Dapper,在循环中为dapper添加查询参数时,如下所示: if (model.UserGroupId != null && model.UserGroupId.Count>0) { var list = model.UserGroupId; sql += " and ( CHARINDEX(','+@group_id+',',','+mem.group_id+',')>0 "; paras.Add("group_id", list[0].Trim())
if (model.UserGroupId != null && model.UserGroupId.Count>0)
{
var list = model.UserGroupId;
sql += " and ( CHARINDEX(','+@group_id+',',','+mem.group_id+',')>0 ";
paras.Add("group_id", list[0].Trim());
for (var i = 1; i < list.Count(); i++)
{
string data = "@group_id" + i;
sql += " or CHARINDEX('," + data+ ",',','+mem.group_id+',')>0 ";
paras.Add(data, list[i].Trim());
}
sql += " )";
}
if(model.UserGroupId!=null&&model.UserGroupId.Count>0)
{
var list=model.UserGroupId;
sql++=“和(CHARINDEX(','+@group_id+',',','+mem.group_id+',')>0”;
添加(“组id”,列表[0].Trim());
对于(var i=1;i0”;
添加(数据,列表[i].Trim());
}
sql+=”;
}
它不报告错误,但查询结果不正确。我无法使用dynamic@作为搜索数据的结果。我怎样才能解决这个问题
如果我使用此选项,它可以正确搜索:
if (model.UserGroupId != null && model.UserGroupId.Count > 0)
{
var list = model.UserGroupId;
sql += " and ( CHARINDEX(','+@group_id+',',','+mem.group_id+',')>0 ";
paras.Add("group_id", list[0].Trim());
for (var i = 1; i < list.Count(); i++)
{
// string data = "@group_id" + i;
sql += " or CHARINDEX('," + list[i].Trim() + ",',','+mem.group_id+',')>0 ";
// paras.Add(data, list[i].Trim());
}
sql += " )";
}
if(model.UserGroupId!=null&&model.UserGroupId.Count>0)
{
var list=model.UserGroupId;
sql++=“和(CHARINDEX(','+@group_id+',',','+mem.group_id+',')>0”;
添加(“组id”,列表[0].Trim());
对于(var i=1;i0”;
//添加(数据,列表[i].Trim());
}
sql+=”;
}
但是它有SQL注入问题。var list=model.UserGroupId;
var list = model.UserGroupId;
sql += " and ( CHARINDEX(','+@group_id+',',','+mem.group_id+',')>0 ";
paras.Add("group_id", list[0].Trim());
for (var i = 1; i < list.Count(); i++)
{
**sql += " or CHARINDEX(','+@group_id"+i+"+',',','+mem.group_id+',')>0 ";
paras.Add("@group_id" + i, list[i].Trim());**
}
sql += " )";
sql++=“和(CHARINDEX(','+@group_id+',',','+mem.group_id+',')>0”;
添加(“组id”,列表[0].Trim());
对于(var i=1;i0”;
添加(“@group_id”+i,list[i].Trim())**
}
sql+=”;
它可以正确搜索请不要这样做!如果您使用的是SQL server,请使用接受表值参数的存储过程;对于其他RDBMs,使用一个接受逗号分隔字符串的存储过程,并将其拆分为过程中的组件;sql++=”和(CHARINDEX('、'+@group_id+'、'、'+mem.group_id+'、')>0;段落添加(“group_id”,list[0].Trim());for(var i=1;i