使用 system.data.oracleclient 构建良好的搜索查询
我正在一个类中构造一个搜索函数,供我们的几个 asp 页面使用。这个想法很简单,从用户那里获取搜索词并在数据库中查询该项目。目前我的做法是错误的,这很容易受到 SQL 注入攻击(以及 ELMAH如果出现问题,它就在那里拯救世界):
Public Shared Function SearchByName(ByVal searchterm As String) As DataTable
SearchByName = New DataTable
Dim con As New OracleConnection(System.Configuration.ConfigurationManager.ConnectionStrings("OracleDB").ConnectionString)
Try
con.Open()
Dim SqlStr As String = "select ID_ELEMENT, ELEMENT_NAME from table_of_elements where upper(ELEMENT_NAME) like upper('%" & searchterm & "%')"
Dim cmd As New OracleCommand(SqlStr, con)
SearchByName.Load(cmd.ExecuteReader)
Catch ex As Exception
Elmah.ErrorSignal.FromCurrentContext().Raise(ex)
End Try
con.Close()
con.Dispose()
Return SearchByName
End Function
字符串连接是不好的。接下来你知道,Bobby Tables 破坏了我的系统。 现在,正确的方法是创建一个正确的 oracle 变量,方法是将 :searchterm 放入字符串中并添加以下行:
cmd.Parameters.Add(New OracleParameter("SEARCHTERM", searchterm))
问题是因为我使用的是 like 语句,所以我需要能够将 % 放在搜索词的两侧,我似乎无法使用 '%:searchterm%' 执行此操作,它只会给出 ORA-01036: 非法变量名称/数字的错误。
我可以参数化但仍将我的灵活的 like 语句作为其中的一部分吗?
I am constructing a search function in a class to be used by several of our asp pages. The idea is simple, take a search term from the user and query the database for the item. Currently I am doing this the wrong way, which is vulnerable to SQL injection attacks (and ELMAH is in there to save the day if something goes wrong):
Public Shared Function SearchByName(ByVal searchterm As String) As DataTable
SearchByName = New DataTable
Dim con As New OracleConnection(System.Configuration.ConfigurationManager.ConnectionStrings("OracleDB").ConnectionString)
Try
con.Open()
Dim SqlStr As String = "select ID_ELEMENT, ELEMENT_NAME from table_of_elements where upper(ELEMENT_NAME) like upper('%" & searchterm & "%')"
Dim cmd As New OracleCommand(SqlStr, con)
SearchByName.Load(cmd.ExecuteReader)
Catch ex As Exception
Elmah.ErrorSignal.FromCurrentContext().Raise(ex)
End Try
con.Close()
con.Dispose()
Return SearchByName
End Function
String concatenation is BAD. Next thing you know, Bobby Tables wrecks my system.
Now, the correct way to do this is to to make a proper oracle variable, by putting :searchterm in the string and adding the following line:
cmd.Parameters.Add(New OracleParameter("SEARCHTERM", searchterm))
The problem is since I am using a like statement, I need to be able to have % on either side of the search word, and I can't seem to do that with '%:searchterm%', it just gives an error of ORA-01036: illegal variable name/number.
Can I parameterize but still have my flexible like statement be a part of it?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
不要在 VB 代码中进行串联,而是在 SQL 语句中进行串联。那么你想做的事情应该有效。下面是一些 SQL 说明了我正在讨论的内容:
顺便说一句,如果将 ELEMENT_NAME 上的排序规则切换为不区分大小写,然后删除对 upper() 的调用,最终可能会得到更有效的查询。
Instead of doing the concatenation in your VB code, do the concatenation in the SQL statement. Then what you're trying to do should work. Here's some SQL illustrating what I'm talking about:
BTW, you might end up with more efficient queries if you switch the collation on ELEMENT_NAME to case-insensitive and then remove the calls to upper().
由于您使用的是 Oracle,另一个选择是使用 Oracle Text< /a> 执行搜索。
正确设置可能需要一些时间,但如果您有大量文本要搜索,或者有某种结构化数据,它可以为您提供比简单的通配符比较更多的选项。
如果您也遇到这个问题,它还有一些处理多种语言的好功能。
Since you're using oracle, another option would be to use Oracle Text to perform the search.
It can take a bit to set up properly, but if you have a large amount of text to search, or have some sort of structured data, it can offer you many more options than a simple wild-card comparison.
It also has some nice features for dealing with multiple languages, if you happen to have that problem as well.