获得“最终”结果来自 MySqlCommand 的准备好的语句
我有以下 MySqlCommand:
Dim cmd As New MySqlCommand
cmd.CommandText = "REPLACE INTO `customer` VALUES( ?customerID, ?firstName, ?lastName)"
With cmd.Parameters
.AddWithValue("?customerID", m_CustomerID)
.AddWithValue("?firstName", m_FirstName)
.AddWithValue("?lastName", m_LastName)
End With
我有一个处理 MySqlCommands 执行的类,我希望它将每个查询记录到文件中。我可以检索正在执行的查询/命令:
cmd.CommandText
但这只是返回带有参数(?customerID,?firstName等)的原始CommandText,而不是由添加的实际替换值AddWithValue 函数。如何找出实际执行的“最终”查询?
I have the following MySqlCommand:
Dim cmd As New MySqlCommand
cmd.CommandText = "REPLACE INTO `customer` VALUES( ?customerID, ?firstName, ?lastName)"
With cmd.Parameters
.AddWithValue("?customerID", m_CustomerID)
.AddWithValue("?firstName", m_FirstName)
.AddWithValue("?lastName", m_LastName)
End With
I have a class that handles execution of MySqlCommands and I'd like to have it log every query to a file. I can retrieve the query/command being executed with:
cmd.CommandText
but that just returns the original CommandText with the parameters (?customerID, ?firstName, etc.) and not the actual substituted values added by the AddWithValue functions. How can I find out the actual "final" query that was executed?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(6)
我做了以下操作:
这似乎输出了您需要的一切
I did the following:
This seems to output everything you need
我还没有看到这方面的方法。
在任何情况下,准备好的语句都会使用 ?customerID,?firstname 参数发送到服务器,然后单独发送实际参数 - mysql 驱动程序不会像您那样构建最终的 sql 查询不要使用准备好的语句。
I havn't seen a method for this.
And in any case, prepared statements are sent to the server with the ?customerID,?firstname parameters, and then the actual parameters are sent seperately - the mysql driver doesn't build up a final sql query like you'd do if you didn't use prepared statements.
您使用的参数化方法应该可以防止 SQL 注入。
如果 m_CustomerID 包含文本
那么它最终不会在服务器上执行。
AddWithValue会为您解决这个问题。至于实际执行的查询,如果启用了,您应该能够从查询日志中获取它。
The parameterised method you're using should be okay for preventing SQL injection.
If m_CustomerID contains the text
Then it won't end up being executed on the server as such. The
AddWithValuesorts that out for you.As for the actual executed query, you should be able to get that from the query-log, if it's enabled.
您必须自己构建它。
参数不只是放入字符串中然后作为 SQL 语句运行。 RDBMS 将实际准备 SQL,然后根据需要使用参数值。因此,没有一条 SQL 语句发送到服务器。要查看 SQL 是什么,您必须执行以下操作:
You would have to build it yourself.
Parameters are not just plopped into a string and then run as a SQL statement. The RDBMS will actually prepare the SQL and then use the parameter values as needed. Therefore, there's not a single SQL statement going to the server. To see what the SQL would be, you would have to do:
我有同样的需要。
根据我的阅读,查询文本不会与客户端中的参数值相结合 - 它们会被发送到服务器。
为了检查实际发送到服务器的查询,我使用了 mysqld 日志记录。对于我的 MySQL 版本,我将此条目添加到 my.cnf:
然后,我能够清楚地看到将命令文本与参数相结合的效果: 在我的例子中,重新启动 mysqld 后,我运行了单元测试,然后打开querys.txt 文件。
哈!
I have the same need.
From what I've read, the query text isn't combined with the param values in the client - they are sent to the server for that.
To inspect what query was actually being sent to the server, I used mysqld logging. For my version of MySQL, I added this entry to the my.cnf:
Then, I was able to see clearly the effect of combining command text with parameters: in my case, after restarting the mysqld, I ran my unit tests and then opened the queries.txt file.
HTH!
如果您想从 .NET 应用程序自行管理日志记录,最好的选择是继续使用带参数的 MySqlCommand 类以避免 SQL 注入;但是,当您记录 CommandText 时,请循环遍历参数集合并按名称/类型/值记录每个参数。
If you want to manage logging yourself from the .NET application, your best bet is to continue using the MySqlCommand class with parameters to avoid SQL injection; however, when you log the CommandText, loop through the Parameters collection and log each one by name/type/value.