在sql server中参数化全文查询

发布于 2024-11-03 14:54:17 字数 687 浏览 1 评论 0原文

我在使用 sql server 全文功能时遇到问题。我正在将一些论坛软件转换为使用全文搜索，并且我已完成所有设置并正常工作。我的问题与全文查询有关。我设计了一些查询，当我使用 CONTAINS 谓词在 sql server management studio 中测试它们时，这些查询可以根据需要运行来定位我的搜索结果，例如：

Select ....
From ..... 
WHERE Contains(p.Message,'" dog food "' ) ......

所以这运行得很好，但是我如何在准备好的语句中参数化它？理想情况下，我希望能够使用 where 子句运行查询，例如：

Select ....
From ..... 
WHERE Contains(p.Message,'" @SearchTerm "' ) ...

或什至

WHERE Contains(p.Message,'"@SearchTerm" Near "@OtherSearchTerm" ) ...

但是由于双引号等原因，这种方法不起作用。我可以在代码中动态构建搜索词，但出于安全原因，我确实需要对所有用户输入使用参数。我查看了无数的谷歌结果，试图找到解决方案，但找不到（当然这肯定是每个人都会发生的，或者我在这里错过了一些非常明显的东西和/或这是不可能的）。有什么想法吗？

原文

I have a problem using the sql server full text feature. I'm converting some forum software to use the full text search and I have everything setup and working. My problems are related to full text queries. I have designed a few queries which run as desired when I test them in sql server management studio using the CONTAINS predicate to locate my search results eg:

Select ....
From ..... 
WHERE Contains(p.Message,'" dog food "' ) ......

So this runs fine but how can I parameterize this in a prepared statement? Ideally I would like to be able to run a query with a where clause like:

Select ....
From ..... 
WHERE Contains(p.Message,'" @SearchTerm "' ) ...

or even

WHERE Contains(p.Message,'"@SearchTerm" Near "@OtherSearchTerm" ) ...

But this approach doesn't work because of the double quotes and all. I could build the search term up dynamically in the code but I really need to be using parameters for all user input for security reasons. I have looked at a zillion google results trying to find a solution but can't(Surely this must happen everyone or am I missing something really obvious here and/or it's not possible ). Any Ideas?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

梦在深巷 2024-11-10 14:54:18

创建一个带有参数的存储过程，例如：

CREATE PROCEDURE [sp_FullTextSearch] 
    @SearchTerm nvarchar(500)
AS
BEGIN
    Select ....
    From ..... 
    WHERE Contains(p.Message, @SearchTerm)
END

然后从代码中调用它。

如何：使用 Visual C# .NET 在 ASP.NET 中调用 SQL Server 存储过程

Create a stored procedure with parameters, like:

CREATE PROCEDURE [sp_FullTextSearch] 
    @SearchTerm nvarchar(500)
AS
BEGIN
    Select ....
    From ..... 
    WHERE Contains(p.Message, @SearchTerm)
END

Then call it from your code.

HOW TO: Call SQL Server Stored Procedures in ASP.NET by Using Visual C# .NET

回复收藏 0 原文

幽梦紫曦～ 2024-11-10 14:54:18

字符串连接怎么样？

WHERE Contains(p.Message, '"' + @SearchTerm + '" Near "' + @OtherSearchTerm + '"')

How about string concatenation?

WHERE Contains(p.Message, '"' + @SearchTerm + '" Near "' + @OtherSearchTerm + '"')

回复收藏 0 原文

岁月静好 2024-11-10 14:54:18

这个答案演示了使用 Enterprise Library 5.0 在 VB.NET 中进行参数化 SQL Server 全文搜索；并进一步显示为每个“对象类型”（想想人、地点和事物）返回十行。

给出下表和全文索引：

CREATE TABLE [dbo].[SearchIndexes](
    [SearchIndexId] [int] IDENTITY(1,1) NOT NULL,
    [ObjectKey] [nvarchar](50) NOT NULL,
    [ObjectText] [nvarchar](4000) NOT NULL,
    [CreateDate] [datetime] NOT NULL,
    [ObjectTypeId] [int] NOT NULL,
 CONSTRAINT [PK_SearchIndexes] PRIMARY KEY CLUSTERED 
(
    [SearchIndexId] ASC
)WITH (PAD_INDEX  = OFF, STATISTICS_NORECOMPUTE  = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS  = ON, ALLOW_PAGE_LOCKS  = ON) ON [PRIMARY]
) ON [PRIMARY]

GO

CREATE FULLTEXT INDEX ON [dbo].[SearchIndexes](
[ObjectText] LANGUAGE [English])
KEY INDEX [PK_SearchIndexes] ON ([MyDbFullTextCatalog], FILEGROUP [PRIMARY])
WITH (CHANGE_TRACKING = AUTO, STOPLIST = SYSTEM)

代码：

Public Function FullTextSearch(text As String) As System.Collections.Generic.List(Of String)

  Const SqlFormat As String = "with RankCte as (select ObjectText, Row_number() over (Partition BY ObjectTypeId ORDER BY ObjectText ) AS RowNum FROM dbo.SearchIndexes where contains(ObjectText, @ObjectTextParameter)) SELECT ObjectText FROM RankCte where RowNum <= 10"
  Const ParameterFormat As String = """{0}*"""

  Dim db = Databases.MyDb

  Using command = db.GetSqlStringCommand(SqlFormat)
    Dim parameterValue = String.Format(Globalization.CultureInfo.InvariantCulture, ParameterFormat, text)
    'parameterValue should now be something like "search*" (includes the double quotes)

    db.AddInParameter(command, "ObjectTextParameter", DbType.String, parameterValue)

    Using reader = db.ExecuteReader(command)
      Dim results As New List(Of String)
      Do While reader.Read()
        results.Add(reader(0).ToString)
      Loop
      Return results
    End Using
  End Using
End Function

This answer demonstrates a parameterized SQL Server Full-Text Search in VB.NET using the Enterprise Library 5.0; and further shows returning ten rows for each "object type" (think people, places and things).

Given the following table and full-text index:

CREATE TABLE [dbo].[SearchIndexes](
    [SearchIndexId] [int] IDENTITY(1,1) NOT NULL,
    [ObjectKey] [nvarchar](50) NOT NULL,
    [ObjectText] [nvarchar](4000) NOT NULL,
    [CreateDate] [datetime] NOT NULL,
    [ObjectTypeId] [int] NOT NULL,
 CONSTRAINT [PK_SearchIndexes] PRIMARY KEY CLUSTERED 
(
    [SearchIndexId] ASC
)WITH (PAD_INDEX  = OFF, STATISTICS_NORECOMPUTE  = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS  = ON, ALLOW_PAGE_LOCKS  = ON) ON [PRIMARY]
) ON [PRIMARY]

GO

CREATE FULLTEXT INDEX ON [dbo].[SearchIndexes](
[ObjectText] LANGUAGE [English])
KEY INDEX [PK_SearchIndexes] ON ([MyDbFullTextCatalog], FILEGROUP [PRIMARY])
WITH (CHANGE_TRACKING = AUTO, STOPLIST = SYSTEM)

Code:

Public Function FullTextSearch(text As String) As System.Collections.Generic.List(Of String)

  Const SqlFormat As String = "with RankCte as (select ObjectText, Row_number() over (Partition BY ObjectTypeId ORDER BY ObjectText ) AS RowNum FROM dbo.SearchIndexes where contains(ObjectText, @ObjectTextParameter)) SELECT ObjectText FROM RankCte where RowNum <= 10"
  Const ParameterFormat As String = """{0}*"""

  Dim db = Databases.MyDb

  Using command = db.GetSqlStringCommand(SqlFormat)
    Dim parameterValue = String.Format(Globalization.CultureInfo.InvariantCulture, ParameterFormat, text)
    'parameterValue should now be something like "search*" (includes the double quotes)

    db.AddInParameter(command, "ObjectTextParameter", DbType.String, parameterValue)

    Using reader = db.ExecuteReader(command)
      Dim results As New List(Of String)
      Do While reader.Read()
        results.Add(reader(0).ToString)
      Loop
      Return results
    End Using
  End Using
End Function

回复收藏 0 原文

~没有更多了~