Sql KE比较运算符_Sql_Sql Server_Parameters

Sql KE比较运算符

sql sql-server parameters

Sql KE比较运算符,sql,sql-server,parameters,Sql,Sql Server,Parameters,补洞修补此漏洞的一种方法是转义%通配符。（对于任何不熟悉操作员免责条款的人，这里有一个链接现在我们可以匹配literal%。当然，当我们有一个列名时，我们需要动态转义通配符。我们可以使用REPLACE函数查找%字符的匹配项，并在每个字符前面插入一个反斜杠，如下所示： select ... where '|pe%ter|' like '%|' + REPLACE( 'pe%ter' ,'%','\%') + '|%' escape '\' and ( {1}==0 or b.Compa

补洞

修补此漏洞的一种方法是转义

通配符。（对于任何不熟悉操作员免责条款的人，这里有一个链接

现在我们可以匹配literal%。当然，当我们有一个列名时，我们需要动态转义通配符。我们可以使用

REPLACE

函数查找

字符的匹配项，并在每个字符前面插入一个反斜杠，如下所示：

select ...
 where '|pe%ter|'
  like '%|' + REPLACE( 'pe%ter' ,'%','\%') + '|%' escape '\'

and ( {1}==0 or b.CompanyId in ({2},{3},{4},{5},{6}) )

  int origCount = idList.Count;
  if (origCount > 5) {
    throw new Exception("You may only specify up to five originators to filter on.");
  }
  while (idList.Count < 5) { idList.Add(-1); }  // -1 is an impossible value
  return ExecuteQuery<PublishDate>(getValuesInListSQL, 
               origCount,   
               idList[0], idList[1], idList[2], idList[3], idList[4]);

这就解决了%通配符的问题。差不多

逃逸

我们认识到我们的解决方案引入了另一个问题。转义字符。我们发现还需要转义任何转义字符本身。这次，我们使用！作为转义字符：

select ...
 where '|pe%t!r|'
  like '%|' + REPLACE(REPLACE( 'pe%t!r' ,'!','!!'),'%','!%') + '|%' escape '!'

下划线太多

现在我们可以添加另一个

REPLACE

处理下划线通配符了。为了好玩，这次我们将使用$作为转义符

select ...
 where '|p_%t!r|'
  like '%|' + REPLACE(REPLACE(REPLACE( 'p_%t!r' ,'$','$$'),'%','$%'),'_','$_') + '|%' escape '$'

我更喜欢这种转义方法，因为它适用于Oracle和MySQL以及SQL Server。（我通常使用\反斜杠作为转义字符，因为这是我们在正则表达式中使用的字符。但是为什么要受约定的约束呢？）

那些讨厌的括号

SQL Server还允许将通配符括在括号中，将其视为文字。因此，至少对于SQL Server，我们还没有完成修复。由于括号对具有特殊意义，我们也需要对其进行转义。如果我们能够正确地转义括号，那么至少我们不必为括号内的连字符

和克拉

而烦恼。我们可以保留任何

>括号内的字符被转义，因为我们基本上禁用了括号的特殊含义

找到匹配的括号对应该不是那么难。这比处理出现的单例%和389;要困难一些。（注意，仅仅转义所有括号是不够的，因为单例括号被认为是一个文本，不需要转义。逻辑变得有点模糊，我无法在不运行更多测试用例的情况下处理。）

内联表达式变得凌乱
SQL中的内联表达式变得越来越长，越来越难看。我们可能可以让它工作，但上帝保佑这个可怜的灵魂，因为我是内联表达式的粉丝，我不想在这里使用内联表达式，主要是因为我不想留下解释混乱原因的评论，以及道歉这是我的荣幸
函数在哪里？
好吧，如果我们不把它作为SQL中的内联表达式来处理，最接近的替代方法就是用户定义的函数。我们知道这不会加快任何速度（除非我们可以在它上定义索引，就像Oracle一样）。如果我们必须创建一个函数，我们最好在调用SQL语句的代码中这样做
根据DBMS和版本的不同，该函数在行为上可能会有一些差异。（这是对所有热衷于能够互换使用任何数据库引擎的Java开发人员的一个警告。）
领域知识
我们可能对该列的域有专门的了解（即，为该列强制执行的一组允许值）。我们可能事先知道，存储在该列中的值永远不会包含百分号、下划线或括号对。在这种情况下，我们只需提供一个快速注释，说明这些情况都已涵盖
存储在列中的值可能允许%或uu个字符，但约束可能要求转义这些值，可能需要使用已定义的字符，以便这些值类似于比较“安全”。再次，请快速评论允许的值集，特别是哪个字符用作转义字符，并使用Joel Spolsky的方法
但是，在缺乏专业知识和保证的情况下，我们至少应该考虑处理那些晦涩难懂的案例，并考虑行为是否合理和“按说明书”。
概述的其他问题
我相信其他人已经充分指出了其他一些普遍关注的领域：

（采用用户提供的信息，并将其包含在SQL文本中，而不是通过绑定变量提供。不需要使用绑定变量，这只是阻止SQL注入的一种方便方法。还有其他方法可以解决此问题：

优化器计划使用索引扫描而不是索引搜索，可能需要表达式或函数来转义通配符（表达式或函数上可能有索引）

使用文字值代替绑定变量会影响可伸缩性

结论
我喜欢乔尔·斯波尔斯基的方法。它很聪明，而且很有效
但当我一看到它，我马上就发现它有一个潜在的问题，让它溜走不是我的天性。我并不想批评其他人的努力。我知道许多开发人员非常重视他们的工作，因为他们在这方面投入了太多，他们非常关心它。所以请理解，这不是人身攻击。我在这里指出的是生产中出现的问题类型，而不是测试

<>是的，我已经远离了原来的问题。但是，还有什么地方可以留下这个关于我被认为是一个重要问题的关于“被选择的”一个问题的答案？
< P>另一个可能的解决办法是把变量的变量传递给一个
cmd.CommandText = "SELECT * FROM Tags WHERE Name IN (@tag0, @tag1, @tag2, @tag3)" cmd.Parameters["@tag0"] = "ruby" cmd.Parameters["@tag1"] = "rails" cmd.Parameters["@tag2"] = "scruffy" cmd.Parameters["@tag3"] = "rubyonrails"

SELECT * FROM Tags WHERE '|ruby|rails|scruffy|rubyonrails|' LIKE '%|' + Name + '|%'

string[] tags = new string[] { "ruby", "rails", "scruffy", "rubyonrails" }; const string cmdText = "select * from tags where '|' + @tags + '|' like '%|' + Name + '|%'"; using (SqlCommand cmd = new SqlCommand(cmdText)) { cmd.Parameters.AddWithValue("@tags", string.Join("|", tags); }

ALTER FUNCTION [dbo].[Fn_sqllist_to_table](@list AS VARCHAR(8000), @delim AS VARCHAR(10)) RETURNS @listTable TABLE( Position INT, Value VARCHAR(8000)) AS BEGIN DECLARE @myPos INT SET @myPos = 1 WHILE Charindex(@delim, @list) > 0 BEGIN INSERT INTO @listTable (Position,Value) VALUES (@myPos,LEFT(@list, Charindex(@delim, @list) - 1)) SET @myPos = @myPos + 1 IF Charindex(@delim, @list) = Len(@list) INSERT INTO @listTable (Position,Value) VALUES (@myPos,'') SET @list = RIGHT(@list, Len(@list) - Charindex(@delim, @list)) END IF Len(@list) > 0 INSERT INTO @listTable (Position,Value) VALUES (@myPos,@list) RETURN END

@Name varchar(8000) = null // parameter for search values select * from Tags where Name in (SELECT value From fn_sqllist_to_table(@Name,','))) order by Count desc

<cfset myvalues = "ruby|rails|scruffy|rubyonrails"> <cfquery name="q"> select * from sometable where values in <cfqueryparam value="#myvalues#" list="true"> </cfquery>

var inValues = new [] { "ruby","rails","scruffy","rubyonrails" }; var results = from tag in Tags where inValues.Contains(tag.Name) select tag;

with qry(n, names) as (select len(list.names) - len(replace(list.names, ',', '')) - 1 as n, substring(list.names, 2, len(list.names)) as names from (select ',Doc,Grumpy,Happy,Sneezy,Bashful,Sleepy,Dopey,' names) as list union all select (n - 1) as n, substring(names, 1 + charindex(',', names), len(names)) as names from qry where n > 1) select n, substring(names, 1, charindex(',', names) - 1) dwarf from qry;

select n, substr(name, 1, instr(name, ',') - 1) dwarf from (select n, substr(val, 1 + instr(val, ',', 1, n)) name from (select rownum as n, list.val from (select ',Doc,Grumpy,Happy,Sneezy,Bashful,Sleepy,Dopey,' val from dual) list connect by level < length(list.val) - length(replace(list.val, ',', ''))));

select pivot.n, substring_index(substring_index(list.val, ',', 1 + pivot.n), ',', -1) from (select 1 as n union all select 2 as n union all select 3 as n union all select 4 as n union all select 5 as n union all select 6 as n union all select 7 as n union all select 8 as n union all select 9 as n union all select 10 as n) pivot, (select ',Doc,Grumpy,Happy,Sneezy,Bashful,Sleepy,Dopey,' val) as list where pivot.n < length(list.val) - length(replace(list.val, ',', ''));

select ... where '|peanut|butter|' like '%|' + 'pe%ter' + '|%'

select ... where '|butter|peanut|' like '%|' + 'pe%ter' + '|%'

select ... where '|peanut|butter|' like '%|' + 'pe\%ter' + '|%' escape '\'

select ... where '|pe%ter|' like '%|' + REPLACE( 'pe%ter' ,'%','\%') + '|%' escape '\'

select ... where '|pe%t!r|' like '%|' + REPLACE(REPLACE( 'pe%t!r' ,'!','!!'),'%','!%') + '|%' escape '!'

select ... where '|p_%t!r|' like '%|' + REPLACE(REPLACE(REPLACE( 'p_%t!r' ,'$','$$'),'%','$%'),'_','$_') + '|%' escape '$'

SELECT * FROM Tags WHERE PATINDEX('%<' + Name + '>%','<jo>,<john>,<scruffy>,<rubyonrails>') > 0

CREATE FUNCTION dbo.fnParseArray (@Array VARCHAR(1000),@separator CHAR(1)) RETURNS @T Table (col1 varchar(50)) AS BEGIN --DECLARE @T Table (col1 varchar(50)) -- @Array is the array we wish to parse -- @Separator is the separator charactor such as a comma DECLARE @separator_position INT -- This is used to locate each separator character DECLARE @array_value VARCHAR(1000) -- this holds each array value as it is returned -- For my loop to work I need an extra separator at the end. I always look to the -- left of the separator character for each array value SET @array = @array + @separator -- Loop through the string searching for separtor characters WHILE PATINDEX('%' + @separator + '%', @array) <> 0 BEGIN -- patindex matches the a pattern against a string SELECT @separator_position = PATINDEX('%' + @separator + '%',@array) SELECT @array_value = LEFT(@array, @separator_position - 1) -- This is where you process the values passed. INSERT into @T VALUES (@array_value) -- Replace this select statement with your processing -- @array_value holds the value of this element of the array -- This replaces what we just processed with and empty string SELECT @array = STUFF(@array, 1, @separator_position, '') END RETURN END

SELECT * FROM dbo.fnParseArray('a,b,c,d,e,f', ',')

and ( {1}==0 or b.CompanyId in ({2},{3},{4},{5},{6}) )

int origCount = idList.Count; if (origCount > 5) { throw new Exception("You may only specify up to five originators to filter on."); } while (idList.Count < 5) { idList.Add(-1); } // -1 is an impossible value return ExecuteQuery<PublishDate>(getValuesInListSQL, origCount, idList[0], idList[1], idList[2], idList[3], idList[4]);

DECLARE @InputString varchar(8000) = 'ruby,rails,scruffy,rubyonrails' SELECT @InputString = @InputString + ',' ;WITH RecursiveCSV(x,y) AS ( SELECT x = SUBSTRING(@InputString,0,CHARINDEX(',',@InputString,0)), y = SUBSTRING(@InputString,CHARINDEX(',',@InputString,0)+1,LEN(@InputString)) UNION ALL SELECT x = SUBSTRING(y,0,CHARINDEX(',',y,0)), y = SUBSTRING(y,CHARINDEX(',',y,0)+1,LEN(y)) FROM RecursiveCSV WHERE SUBSTRING(y,CHARINDEX(',',y,0)+1,LEN(y)) <> '' OR SUBSTRING(y,0,CHARINDEX(',',y,0)) <> '' ) SELECT * FROM Tags WHERE Name IN (select x FROM RecursiveCSV) OPTION (MAXRECURSION 32767);

string[] names = new string[] {"ruby","rails","scruffy","rubyonrails"}; var tags = dataContext.Query<Tags>(@" select * from Tags where Name in @names order by Count desc", new {names});

string[] names = new string[] {"ruby","rails","scruffy","rubyonrails"}; var tags = from tag in dataContext.Tags where names.Contains(tag.Name) orderby tag.Count descending select tag;

declare @x xml set @x='<items> <item myvalue="29790" /> <item myvalue="31250" /> </items> '; With CTE AS ( SELECT x.item.value('@myvalue[1]', 'decimal') AS myvalue FROM @x.nodes('//items/item') AS x(item) ) select * from YourTable where tableColumnName in (select myvalue from cte)

-- Create a user defined type for the list. CREATE TYPE [dbo].[StringList] AS TABLE( [StringValue] [nvarchar](max) NOT NULL ) -- Create a sample list using the list table type. DECLARE @list [dbo].[StringList]; INSERT INTO @list VALUES ('one'), ('two'), ('three'), ('four') -- Build a string in which we recreate the list so we can pass it to exec -- This can be done in any language since we're just building a string. DECLARE @str nvarchar(max); SET @str = 'DECLARE @list [dbo].[StringList]; INSERT INTO @list VALUES ' -- Add all the values we want to the string. This would be a loop in C++. SELECT @str = @str + '(''' + StringValue + '''),' FROM @list -- Remove the trailing comma so the query is valid sql. SET @str = substring(@str, 1, len(@str)-1) -- Add a select to test the string. SET @str = @str + '; SELECT * FROM @list;' -- Execute the string and see we've pass the table correctly. EXEC(@str)

create stored procedure GetSearchMachingTagNames @PipeDelimitedTagNames varchar(max), @delimiter char(1) as begin select * from Tags where Name in (select data from [dbo].[Split](@PipeDelimitedTagNames,@delimiter) end

[SqlFunction( DataAccessKind.None, IsDeterministic = true, SystemDataAccess = SystemDataAccessKind.None, IsPrecise = true, FillRowMethodName = "SplitFillRow", TableDefinintion = "s NVARCHAR(MAX)"] public static IEnumerable Split(SqlChars seperator, SqlString s) { if (s.IsNull) return new string[0]; return s.ToString().Split(seperator.Buffer); } public static void SplitFillRow(object row, out SqlString s) { s = new SqlString(row.ToString()); }

declare @desiredTags nvarchar(MAX); set @desiredTags = 'ruby,rails,scruffy,rubyonrails'; select * from Tags where Name in [dbo].[Split] (',', @desiredTags) order by Count desc

CREATE TABLE Tags ([ID] int, [Name] varchar(20)) ; INSERT INTO Tags ([ID], [Name]) VALUES (1, 'ruby'), (2, 'rails'), (3, 'scruffy'), (4, 'rubyonrails') ;

DECLARE @Param nvarchar(max) SET @Param = 'ruby,rails,scruffy,rubyonrails' SELECT * FROM Tags WHERE CharIndex(Name,@Param)>0

Create table SelectedTags (Name nvarchar(20)); INSERT INTO SelectedTags values ('ruby'),('rails')

DECLARE @list nvarchar(max) SELECT @list=coalesce(@list+',','')+st.Name FROM SelectedTags st SELECT * FROM Tags WHERE CharIndex(Name,@Param)>0

CREATE PROCEDURE [dbo].[sp_myproc] @UnitList varchar(MAX) = '1,2,3' AS select column from table where ph.UnitID in (select * from CsvToInt(@UnitList))

CREATE Function [dbo].[CsvToInt] ( @Array varchar(MAX)) returns @IntTable table (IntValue int) AS begin declare @separator char(1) set @separator = ',' declare @separator_position int declare @array_value varchar(MAX) set @array = @array + ',' while patindex('%,%' , @array) <> 0 begin select @separator_position = patindex('%,%' , @array) select @array_value = left(@array, @separator_position - 1) Insert @IntTable Values (Cast(@array_value as int)) select @array = stuff(@array, 1, @separator_position, '') end return end

private static DataSet GetDataSet(SqlConnectionStringBuilder scsb, string strSql, params object[] pars) { var ds = new DataSet(); using (var sqlConn = new SqlConnection(scsb.ConnectionString)) { var sqlParameters = new List<SqlParameter>(); var replacementStrings = new Dictionary<string, string>(); if (pars != null) { for (int i = 0; i < pars.Length; i++) { if (pars[i] is IEnumerable<object>) { List<object> enumerable = (pars[i] as IEnumerable<object>).ToList(); replacementStrings.Add("@" + i, String.Join(",", enumerable.Select((value, pos) => String.Format("@_{0}_{1}", i, pos)))); sqlParameters.AddRange(enumerable.Select((value, pos) => new SqlParameter(String.Format("@_{0}_{1}", i, pos), value ?? DBNull.Value)).ToArray()); } else { sqlParameters.Add(new SqlParameter(String.Format("@{0}", i), pars[i] ?? DBNull.Value)); } } } strSql = replacementStrings.Aggregate(strSql, (current, replacementString) => current.Replace(replacementString.Key, replacementString.Value)); using (var sqlCommand = new SqlCommand(strSql, sqlConn)) { if (pars != null) { sqlCommand.Parameters.AddRange(sqlParameters.ToArray()); } else { //Fail-safe, just in case a user intends to pass a single null parameter sqlCommand.Parameters.Add(new SqlParameter("@0", DBNull.Value)); } using (var sqlDataAdapter = new SqlDataAdapter(sqlCommand)) { sqlDataAdapter.Fill(ds); } } } return ds; }

List<SqlParameter> parameters = tags.Select((s, i) => new SqlParameter("@tag" + i.ToString(), SqlDbType.NVarChar(50)) { Value = s}).ToList(); var whereCondition = string.Format("tags in ({0})", String.Join(",",parameters.Select(s => s.ParameterName)));

var parameters = new List<SqlParameter>(); var paramNames = new List<string>(); for (var i = 0; i < tags.Length; i++) { var paramName = "@tag" + i; //Include size and set value explicitly (not AddWithValue) //Because SQL Server may use an implicit conversion if it doesn't know //the actual size. var p = new SqlParameter(paramName, SqlDbType.NVarChar(50) { Value = tags[i]; } paramNames.Add(paramName); parameters.Add(p); } var inClause = string.Join(",", paramNames);

CREATE FUNCTION [dbo].[Split] (@sep char(1), @s varchar(8000)) RETURNS table AS RETURN ( WITH Pieces(pn, start, stop) AS ( SELECT 1, 1, CHARINDEX(@sep, @s) UNION ALL SELECT pn + 1, stop + 1, CHARINDEX(@sep, @s, stop + 1) FROM Pieces WHERE stop > 0 ) SELECT SUBSTRING(@s, start, CASE WHEN stop > 0 THEN stop-start ELSE 512 END) AS s FROM Pieces )

select * from Tags where Name in (select s from dbo.split(';','ruby;rails;scruffy;rubyonrails')) order by Count desc

CREATE TABLE dbo.Tags ( Name VARCHAR(50), Count INT ) INSERT INTO dbo.Tags VALUES ('VB',982), ('ruby',1306), ('rails',1478), ('scruffy',1), ('C#',1784) GO CREATE PROC dbo.SomeProc @Tags VARCHAR(MAX) AS SELECT T.* FROM dbo.Tags T WHERE T.Name IN (SELECT J.Value COLLATE Latin1_General_CI_AS FROM OPENJSON(CONCAT('[', @Tags, ']')) J) ORDER BY T.Count DESC GO EXEC dbo.SomeProc @Tags = '"ruby","rails","scruffy","rubyonrails"' DROP TABLE dbo.Tags

DECLARE @names NVARCHAR(MAX) = 'ruby,rails,scruffy,rubyonrails'; SELECT * FROM Tags WHERE Name IN (SELECT [value] FROM STRING_SPLIT(@names, ',')) ORDER BY [Count] DESC;

DECLARE @names NVARCHAR(MAX) = 'ruby,rails,scruffy,rubyonrails'; SELECT t.* FROM Tags t JOIN STRING_SPLIT(@names,',') ON t.Name = [value] ORDER BY [Count] DESC;

SELECT ProductId, Name, Tags FROM Product WHERE ',1,2,3,' LIKE '%,' + CAST(ProductId AS VARCHAR(20)) + ',%';

DECLARE @names NVARCHAR(MAX) = 'ruby,rails,scruffy,rubyonrails,sql'; CREATE TABLE #t(val NVARCHAR(120)); INSERT INTO #t(val) SELECT s.[value] FROM STRING_SPLIT(@names, ',') s; SELECT * FROM Tags tg JOIN #t t ON t.val = tg.TagName ORDER BY [Count] DESC;