当前提供程序不支持命令参数 - 我该怎么办？

发布于 2024-09-27 18:33:07 字数 838 浏览 8 评论 0原文

我正在尝试查询 Microsoft Indexing Service 目录，并且发现了很多关于它的非常有用的文章（例如这个），但是我发现每个例子都只是使用字符串连接来构建查询，而且在很多不同的层面上感觉都是错误的。

我显然想使用参数化查询，但看起来 MS 索引提供程序不支持它们，如以下异常所述：

“MSIDXS”提供程序不支持 ICommandWithParameters 接口。当前提供程序不支持命令参数。

这是我的代码的简化示例。我想做的就是运行一个非常简单的查询，并防止错误的输入。

OleDbCommand cmd = new OleDbCommand("select DocTitle, Path from scope() where @friendlyName = '@value'", ActiveConnection());
cmd.Parameters.Add(new OleDbParameter("@friendlyName", friendlyName));
cmd.Parameters.Add(new OleDbParameter("@value", value));

OleDbDataAdapter da = new OleDbDataAdapter(cmd);
DataSet results = new DataSet();
da.Fill(results);

如果我真的被迫使用字符串连接，那么清理输入的最佳方法是什么？我怎么知道我涵盖了所有案例？

原文

I'm trying to query the Microsoft Indexing Service catalog, and I've found a bunch of really helpful articles about it (like this one), but every example I find they just use string concatenation to build queries, and it feels so wrong on so many different levels.

I clearly want to use parameterized queries, but it looks like the MS Indexing provider doesn't support them, as described by the following exception:

The ICommandWithParameters interface is not supported by the 'MSIDXS' provider. Command parameters are unsupported with the current provider.

Here's a simplified example of my code. All I want to do is run a really simple query, and protect against bad input.

OleDbCommand cmd = new OleDbCommand("select DocTitle, Path from scope() where @friendlyName = '@value'", ActiveConnection());
cmd.Parameters.Add(new OleDbParameter("@friendlyName", friendlyName));
cmd.Parameters.Add(new OleDbParameter("@value", value));

OleDbDataAdapter da = new OleDbDataAdapter(cmd);
DataSet results = new DataSet();
da.Fill(results);

If I'm really forced to use string concatenation, what's the best way to sanitize the inputs? How will I know I covered all the cases?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

回梦 2024-10-04 18:33:07

参数必须有名称吗？看起来这个 msdn 示例可能符合要求。

public void CreateMyOleDbCommand(OleDbConnection connection,
string queryString, OleDbParameter[] parameters) {
OleDbCommand command = new OleDbCommand(queryString, connection);
command.CommandText = 
    "SELECT CustomerID, CompanyName FROM Customers WHERE Country = ? AND City = ?";
command.Parameters.Add(parameters);

for (int j=0; j<parameters.Length; j++)
{
    command.Parameters.Add(parameters[j]) ;
}

string message = "";
for (int i = 0; i < command.Parameters.Count; i++) 
{
    message += command.Parameters[i].ToString() + "\n";
}
Console.WriteLine(message);

http://msdn.microsoft.com/ en-us/library/system.data.oledb.oledbcommand.parameters.aspx

Do the parameters have to have names? Looks like this msdn example might fit the bill.

public void CreateMyOleDbCommand(OleDbConnection connection,
string queryString, OleDbParameter[] parameters) {
OleDbCommand command = new OleDbCommand(queryString, connection);
command.CommandText = 
    "SELECT CustomerID, CompanyName FROM Customers WHERE Country = ? AND City = ?";
command.Parameters.Add(parameters);

for (int j=0; j<parameters.Length; j++)
{
    command.Parameters.Add(parameters[j]) ;
}

string message = "";
for (int i = 0; i < command.Parameters.Count; i++) 
{
    message += command.Parameters[i].ToString() + "\n";
}
Console.WriteLine(message);

}

http://msdn.microsoft.com/en-us/library/system.data.oledb.oledbcommand.parameters.aspx

回复收藏 0 原文

~没有更多了~