C# 如何在SQLite查询中对参数使用Like运算符?
我可以通过在LINQPad中输入以下内容获得预期结果:C# 如何在SQLite查询中对参数使用Like运算符?,c#,sqlite,sql-injection,sql-like,query-parameters,C#,Sqlite,Sql Injection,Sql Like,Query Parameters,我可以通过在LINQPad中输入以下内容获得预期结果: SELECT * FROM WorkTable WHERE WTName LIKE "DSD__20090410014953000%" (它显示了WTName值为DSD_uu20090410014953000.xml的记录) 但试图通过编程实现这一点证明是在尝试。我尝试了: const string qry = "SELECT SiteNum FROM WorkTable WHERE WTName LIKE @wtName%"; usin
SELECT * FROM WorkTable WHERE WTName LIKE "DSD__20090410014953000%"
const string qry = "SELECT SiteNum FROM WorkTable WHERE WTName LIKE @wtName%";
using (SQLiteConnection con = new SQLiteConnection(HHSUtils.GetDBConnection()))
{
con.Open();
SQLiteCommand cmd = new SQLiteCommand(qry, con);
cmd.Parameters.Add(new SQLiteParameter("wtName", tableName));
siteNum = Convert.ToInt32(cmd.ExecuteScalar());
}
Message: From application-wide exception handler: System.Data.SQLite.SQLiteException: SQL logic error or missing database
near "%": syntax error
const string qry = String.Format("SELECT SiteNum FROM WorkTable WHERE WTName LIKE {0}%", tableName);
如何获取数据并同时编写安全代码?通配符
%const string qry = "SELECT SiteNum FROM WorkTable WHERE WTName LIKE @wtName";
using (SQLiteConnection con = new SQLiteConnection(HHSUtils.GetDBConnection()))
{
con.Open();
SQLiteCommand cmd = new SQLiteCommand(qry, con);
cmd.Parameters.Add(new SQLiteParameter("@wtName", tableName + "%"));
siteNum = Convert.ToInt32(cmd.ExecuteScalar());
}
而且,我不确定它在这里是否重要,但是,通常,我会插入参数名以及占位符(@wtName)中使用的确切名称。请尝试这样定义查询:
const string qry = "SELECT SiteNum FROM WorkTable WHERE WTName LIKE @wtName + '%'";
最简单的方法是使用“| |” 使用:
const string qry = "SELECT SiteNum FROM WorkTable WHERE WTName LIKE @wtName || '%' ";
const string qry = "SELECT SiteNum FROM WorkTable WHERE WTName LIKE @wtName%";
const string qry = "SELECT SiteNum FROM WorkTable WHERE WTName LIKE @wtName || '%' ";
const string qry = "SELECT SiteNum FROM WorkTable WHERE WTName LIKE @wtName%";
没有在SQLite上尝试,但它确实可以在SQL Server上运行。我从现有项目中复制了它。SQLite中字符串的连接运算符为| |,因此您应该编写
@wtName | |'%”