如何即时进行自定义查询?
我正在 vb.net 上使用 sqlite 的数据库工作,该数据库托管一个画廊,我想扩展搜索属性。
这是实际的查询字符串:
"SELECT images.*
FROM images
JOIN nodes
ON images.id = nodes.image_id
WHERE tag_id = (SELECT tags.id
FROM tags
WHERE tag = '" & tagname & "')
ORDER BY images." & sort & " " & order & ""
但它只能搜索一个描述性标签(标签名)并对图像进行排序,仅此而已。
我还想过滤图像 ext (table = images.ext) 或一个或多个参数的结果...例如:
如果用户搜索“cars ext:jpg width>500”,数据库将返回具有以下内容的所有图像标签“汽车”,扩展名为 jpg,宽度大于 500 像素。
I'm working in a database on vb.net with sqlite which hosts a gallery and I want expand the search properities.
This the actual query string:
"SELECT images.*
FROM images
JOIN nodes
ON images.id = nodes.image_id
WHERE tag_id = (SELECT tags.id
FROM tags
WHERE tag = '" & tagname & "')
ORDER BY images." & sort & " " & order & ""
But it only can search for only one descriptive tag (tagname) and sort the images and nothing more.
I want to filter the results also for image ext (table = images.ext) or one or more parameter...for example:
If the user search "cars ext:jpg width>500" the the database returns all images which has the tag "cars", has the extension jpg and are bigger than 500 px width.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
首先,这段代码是危险的。它容易受到 SQL 注入攻击。您不应该只是将这样的字符串值附加到查询字符串中。相反,您应该使用参数化查询。
对于您的具体问题,您应该检查搜索的输入,并根据输入生成查询的特定部分,并在必要时对它们进行参数化。
例如,如果您必须对扩展进行过滤,那么您可以在保存 join 子句的变量中添加一个到扩展表的连接,并在保存 where 子句的变量中添加对连接表的过滤器(以及相应的参数和参数值)。
然后,最后,将查询的各个部分连接在一起(以及查询参数)并执行它。
First, this code is dangerous. It's open to SQL Injection attacks. You shouldn't just append string values like that to the query string. Instead, you should use a parameterized query.
In regards to your specific question, you should check the inputs for the search, and based on the inputs, generate the specifc sections of the query, parameterizing them where necessary.
For example, if you have to filter on extensions, then you add a join to the extensions table in the variable holding the join clause, as well as a filter on the joined table in the variable holding the where clause (as well as the appropriate parameter and parameter value).
Then, in the end, you concatenate the parts of the query together (along with the query parameters) and execute it.
首先,如果该输入来自用户,请不要连接这样的字符串,因为它容易受到 SQL 注入
使用 SQL 参数是避免注入的一种方法:
您可以将其扩展为:
First of all, if that input is coming in from the user, don't concatenate strings like that, because it's succeptible to SQL Injection
Using SQL Parameters is a way to avoid the injection:
You can extend this to:
如果我正确理解这个问题,您只想构建一个查询字符串。你尝试过这样的事情吗?
SQLcommand.CommandText = "SELECT images.* FROM images JOIN 节点 ON images.id = paths.image_id WHERE tag_id = (SELECT Tags.id FROM Tags WHERE tag = '" & tagname & "') AND images.Ext = ' ” &分机& "' AND 宽度 > " &宽度和“按图像排序。” &排序& ” ” &订单& ””
If I understand the question correctly, you just want to build up a query string. Have you tried something like this?
SQLcommand.CommandText = "SELECT images.* FROM images JOIN nodes ON images.id = nodes.image_id WHERE tag_id = (SELECT tags.id FROM tags WHERE tag = '" & tagname & "') AND images.Ext = '" & ext & "' AND width > " & width & " ORDER BY images." & sort & " " & order & ""
单独构建 WHERE 子句并将其添加到查询中。
Build WHERE clause separately and when add it to your query.