将参数绑定到 OLEDB 命令会引发错误

发布于 2024-09-08 22:28:40 字数 1342 浏览 1 评论 0原文

我正在将 AS 400 OLEDB 与 .NET 一起使用。它使用“？”而不是 '@param 将参数与命令绑定现在有一种情况，命令就像

SELECT ...
FROM
   (SELECT ... 
         ROW_NUMBER() OVER(ORDER BY ColumnName) as RowNum
    FROM Employees e
   ) as DerivedTableName
WHERE RowNum BETWEEN @startRowIndex AND (@startRowIndex + @maximumRows) - 1

我的命令变成

    SELECT ...
FROM
   (SELECT ... 
         ROW_NUMBER() OVER(ORDER BY ColumnName) as RowNum
    FROM Employees e
   ) as DerivedTableName
WHERE RowNum BETWEEN ? AND (? + ?) - 1

现在，当我绑定参数时，

myCommand.Parameters.Add(new OleDbParameter("?",startRowIndex));
myCommand.Parameters.Add(new OleDbParameter("?", startRowIndex));
myCommand.Parameters.Add(new OleDbParameter("?", MaximumRows));

现在，它会抛出错误，

SQL0417: Combination of parameter markers not valid.
Cause . . . . . :   The statement string specified as the object of a PREPARE statement contains a predicate or expression where parameter markers have been used as operands of the same operator.  The following restrictions apply to the use of parameter markers: -- Both the operands in a predicate cannot be parameter markers. For example, specifying predicates of the form:    ? = ?      or    ? = ( SELECT ? FROM x ) are not valid.

在这种情况下如何绑定参数？我想避免sql注入:)

原文

I am using AS 400 OLEDB with .NET. It uses '?' instead of '@param to bind parameters with a command
Now there is a situation where the command is like

SELECT ...
FROM
   (SELECT ... 
         ROW_NUMBER() OVER(ORDER BY ColumnName) as RowNum
    FROM Employees e
   ) as DerivedTableName
WHERE RowNum BETWEEN @startRowIndex AND (@startRowIndex + @maximumRows) - 1

Now my command becomes

    SELECT ...
FROM
   (SELECT ... 
         ROW_NUMBER() OVER(ORDER BY ColumnName) as RowNum
    FROM Employees e
   ) as DerivedTableName
WHERE RowNum BETWEEN ? AND (? + ?) - 1

Now when I bind parameters like

myCommand.Parameters.Add(new OleDbParameter("?",startRowIndex));
myCommand.Parameters.Add(new OleDbParameter("?", startRowIndex));
myCommand.Parameters.Add(new OleDbParameter("?", MaximumRows));

It throws error

SQL0417: Combination of parameter markers not valid.
Cause . . . . . :   The statement string specified as the object of a PREPARE statement contains a predicate or expression where parameter markers have been used as operands of the same operator.  The following restrictions apply to the use of parameter markers: -- Both the operands in a predicate cannot be parameter markers. For example, specifying predicates of the form:    ? = ?      or    ? = ( SELECT ? FROM x ) are not valid.

How do I bind parameters in this situation ? I want to avoid sql injection :)

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

我要还你自由 2024-09-15 22:28:40

尝试更改参数名称

myCommand.Parameters.Add(new OleDbParameter("@startRowIndex",startRowIndex));
myCommand.Parameters.Add(new OleDbParameter("@startRowIndex2", startRowIndex));
myCommand.Parameters.Add(new OleDbParameter("@MaximumRows", MaximumRows));

，但保持 SQL 不变。

Try changing the names of the parameters

myCommand.Parameters.Add(new OleDbParameter("@startRowIndex",startRowIndex));
myCommand.Parameters.Add(new OleDbParameter("@startRowIndex2", startRowIndex));
myCommand.Parameters.Add(new OleDbParameter("@MaximumRows", MaximumRows));

but leave the SQL as is.

回复收藏 0 原文

~没有更多了~