SQL过滤查询
我有一个表,其中有许多字段。 我正在尝试在 asp.net 中创建搜索过滤器,以便用户可以按一个或多个字段的组合进行搜索。 所以基本上我想创建一个接受 4 个参数的单个存储过程,如果参数不为空,它会将参数附加到 WHERE 子句...
TableExample 有 4 列,Col1 Col2 Col3 Col4
我希望有办法做到这一点使用单个存储过程,而不必为每种可能的组合创建一个存储过程。
我正在尝试这样的事情,这是不正确的,但这是我迄今为止所得到的。
谢谢!
CREATE PROCEDURE [dbo].[Search]
@Col1 int,
@Col2 int,
@Col3 int,
@Col4 int
AS
SET TRANSACTION ISOLATION LEVEL READ COMMITTED
SELECT *
FROM
[dbo].[TestTable]
WHERE
1=1
CASE
WHEN @Col1 IN NOT NULL
THEN AND [Col1] = @Col1
WHEN @Col2 IN NOT NULL
THEN AND [Col2] = @Col2
WHEN @Col3 IN NOT NULL
THEN AND [Col3] = @Col3
WHEN @Col4 IN NOT NULL
THEN AND [Col4] = @Col4
END
I have a table with a number of fields in it. I am trying to create search filter in asp.net so the user can search by one or a combination of fields. So basically I want to create a single stored procedure that takes in 4 params and it will append the param to the WHERE clause if its not null...
TableExample has 4 columns, Col1 Col2 Col3 Col4
I am hoping there is way to do this with a single stored procedure instead of having to create one for each possible combination.
I was trying something like this, which isn't correct, but its what ive got thus far.
THANKS!
CREATE PROCEDURE [dbo].[Search]
@Col1 int,
@Col2 int,
@Col3 int,
@Col4 int
AS
SET TRANSACTION ISOLATION LEVEL READ COMMITTED
SELECT *
FROM
[dbo].[TestTable]
WHERE
1=1
CASE
WHEN @Col1 IN NOT NULL
THEN AND [Col1] = @Col1
WHEN @Col2 IN NOT NULL
THEN AND [Col2] = @Col2
WHEN @Col3 IN NOT NULL
THEN AND [Col3] = @Col3
WHEN @Col4 IN NOT NULL
THEN AND [Col4] = @Col4
END
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
使用 OR 短路这一事实。 我假设 -1 不是有效值。
Use the fact that OR short circuits. I've assumed -1 is not a valid value.
搜索是我提倡使用动态 sql 或在代码中构建 sql 字符串的罕见选项之一。 如果您有一个全存储过程环境,请在存储过程中使用动态 sql。 对其进行参数化并使用 sp_executeSQL 来运行它以避免 SQL 注入
search is one of the rare options i preach using either dynamic sql or building your sql string in code. if you have an all sproc environment use dynamic sql in your sproc. parametrize it and use sp_executeSQL to run it to avoid SQL Injection
您可以使用与您所拥有的类似的方法来完成此操作:
或者您可以使其变得更简单,尽管可能可读性较差:
You can do it with a method similar to what you have:
Or you can make it a lot simpler, although possibly less readable:
您必须使用动态 SQL 来执行此操作:
请记住,这存在危险,包括 SQL 注入,以及可能出现的许多其他权限问题,因为它是动态 SQL,但这是唯一的方法在数据库层完成此操作。 如果您想在应用程序层(用 C#)构建查询,您可以更彻底地防御 SQL 注入攻击。
一些动态 SQL 链接可能会帮助您了解其缺点:
http://www.sommarskog.se/dynamic_sql。 html
http: //slashstar.com/blogs/tim/archive/2006/10/12/The-Prevalence-and-Dangers-of-SQL-Injection.aspx
You'd have to use dynamic SQL to do it:
Keep in mind that there are dangers to this, including SQL injection, as well as a host of other permissions problems that can arise, since it's dynamic SQL, but it's the only way to accomplish this in the database layer. If you want to build you query at the application layer (in C#), you can defend against the SQL injection attacks much more thoroughly.
Some dynamic SQL links that might help you understand the drawbacks:
http://www.sommarskog.se/dynamic_sql.html
http://slashstar.com/blogs/tim/archive/2006/10/12/The-Prevalence-and-Dangers-of-SQL-Injection.aspx
我感谢大家的回复。 不过,我的做法有点不同。 我希望它能帮助别人! 我是这样做的:
I thank you all for your replies. However, I did it a little bit differently. I hope it helps someone out! Here's how I went about it: