Warning: file_get_contents(/data/phpspider/zhask/data//catemap/0/asp.net-core/3.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Asp.net core 如何在循环中添加简洁的查询参数_Asp.net Core_Dapper - Fatal编程技术网
Fatal编程技术网
  • asp.net-core/
  • Asp.net core 如何在循环中添加简洁的查询参数

Asp.net core 如何在循环中添加简洁的查询参数

asp.net-core

Asp.net core 如何在循环中添加简洁的查询参数,asp.net-core,dapper,Asp.net Core,Dapper,在循环中为dapper添加查询参数时,如下所示: if (model.UserGroupId != null && model.UserGroupId.Count>0) { var list = model.UserGroupId; sql += " and ( CHARINDEX(','+@group_id+',',','+mem.group_id+',')>0 "; paras.Add("group_id", list[0].Trim())

在循环中为dapper添加查询参数时,如下所示:

if (model.UserGroupId != null && model.UserGroupId.Count>0)
{
    var list = model.UserGroupId;
    sql += " and ( CHARINDEX(','+@group_id+',',','+mem.group_id+',')>0 ";
    paras.Add("group_id", list[0].Trim());
    for (var i = 1; i < list.Count(); i++)
    {
        string data = "@group_id" + i;
        sql += " or CHARINDEX('," + data+ ",',','+mem.group_id+',')>0 ";
        paras.Add(data, list[i].Trim());
    }
    sql += " )";
}

if(model.UserGroupId!=null&&model.UserGroupId.Count>0)
{
var list=model.UserGroupId;
sql++=“和(CHARINDEX(','+@group_id+',',','+mem.group_id+',')>0”;
添加(“组id”,列表[0].Trim());
对于(var i=1;i0”;
添加(数据,列表[i].Trim());
}
sql+=”;
}
它不报告错误,但查询结果不正确。我无法使用dynamic@作为搜索数据的结果。我怎样才能解决这个问题

如果我使用此选项,它可以正确搜索:

if (model.UserGroupId != null && model.UserGroupId.Count > 0)
{
    var list = model.UserGroupId;
    sql += " and ( CHARINDEX(','+@group_id+',',','+mem.group_id+',')>0 ";
    paras.Add("group_id", list[0].Trim());
    for (var i = 1; i < list.Count(); i++)
    {
        //  string data = "@group_id" + i;
        sql += " or CHARINDEX('," + list[i].Trim() + ",',','+mem.group_id+',')>0 ";
        // paras.Add(data, list[i].Trim());
    }
    sql += " )";
}

if(model.UserGroupId!=null&&model.UserGroupId.Count>0)
{
var list=model.UserGroupId;
sql++=“和(CHARINDEX(','+@group_id+',',','+mem.group_id+',')>0”;
添加(“组id”,列表[0].Trim());
对于(var i=1;i0”;
//添加(数据,列表[i].Trim());
}
sql+=”;
}
但是它有SQL注入问题。

var list=model.UserGroupId;

           var list = model.UserGroupId;
            sql += " and ( CHARINDEX(','+@group_id+',',','+mem.group_id+',')>0 ";
            paras.Add("group_id", list[0].Trim());
            for (var i = 1; i < list.Count(); i++)
            {
               **sql += " or CHARINDEX(','+@group_id"+i+"+',',','+mem.group_id+',')>0 ";
                paras.Add("@group_id" + i, list[i].Trim());**
            }
            sql += " )";


sql++=“和(CHARINDEX(','+@group_id+',',','+mem.group_id+',')>0”;
添加(“组id”,列表[0].Trim());
对于(var i=1;i0”;
添加(“@group_id”+i,list[i].Trim())**
}
sql+=”;
它可以正确搜索

请不要这样做!如果您使用的是SQL server,请使用接受表值参数的存储过程;对于其他RDBMs,使用一个接受逗号分隔字符串的存储过程,并将其拆分为过程中的组件;sql++=”和(CHARINDEX('、'+@group_id+'、'、'+mem.group_id+'、')>0;段落添加(“group_id”,list[0].Trim());for(var i=1;i0);段落添加(“@group_id”+i,list[i].Trim()));}sql+=”;