参数化SQL Server中的全文查询

发布于 2025-02-10 08:58:56 字数 658 浏览 5 评论 0原文

我使用SQL Server全文功能有问题。我正在将一些论坛软件转换为使用全文搜索，并且设置了所有内容。我的问题与全文查询有关。当我在SQL Server Management Studio中使用包含的谓词来定位我的搜索结果时，我设计了一些查询，这些查询是根据所需运行的，例如：

Select ....
From ..... 
WHERE Contains(p.Message,'" dog food "' ) ......

这是可以运行的，但是如何在准备好的语句中参数化它？理想情况下，我希望能够使用“ were”子句类似的查询来运行查询：

Select ....
From ..... 
WHERE Contains(p.Message,'" @SearchTerm "' ) ...

甚至是

WHERE Contains(p.Message,'"@SearchTerm" Near "@OtherSearchTerm" ) ...

由于双引号和所有内容而行不通的。我可以在代码中动态构建搜索术语，但是出于安全原因，我确实需要将参数用于所有用户输入。我看了一个数十亿个Google结果，试图找到解决方案，但不能（当然，这一定会发生，或者我在这里错过了一些很明显的东西和/或不可能）。有什么想法吗？

原文

I have a problem using the sql server full text feature. I'm converting some forum software to use the full text search and I have everything setup and working. My problems are related to full text queries. I have designed a few queries which run as desired when I test them in sql server management studio using the CONTAINS predicate to locate my search results eg:

Select ....
From ..... 
WHERE Contains(p.Message,'" dog food "' ) ......

So this runs fine but how can I parameterize this in a prepared statement? Ideally I would like to be able to run a query with a where clause like:

Select ....
From ..... 
WHERE Contains(p.Message,'" @SearchTerm "' ) ...

or even

WHERE Contains(p.Message,'"@SearchTerm" Near "@OtherSearchTerm" ) ...

But this approach doesn't work because of the double quotes and all. I could build the search term up dynamically in the code but I really need to be using parameters for all user input for security reasons. I have looked at a zillion google results trying to find a solution but can't(Surely this must happen everyone or am I missing something really obvious here and/or it's not possible ). Any Ideas?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

欲拥i 2025-02-17 08:58:56

创建一个带有参数的存储过程，例如：

CREATE PROCEDURE [sp_FullTextSearch] 
    @SearchTerm nvarchar(500)
AS
BEGIN
    Select ....
    From ..... 
    WHERE Contains(p.Message, @SearchTerm)
END

然后从代码中调用它。

如何：通过使用Visual C＃.net

Create a stored procedure with parameters, like:

CREATE PROCEDURE [sp_FullTextSearch] 
    @SearchTerm nvarchar(500)
AS
BEGIN
    Select ....
    From ..... 
    WHERE Contains(p.Message, @SearchTerm)
END

Then call it from your code.

HOW TO: Call SQL Server Stored Procedures in ASP.NET by Using Visual C# .NET

回复收藏 0 原文

单调的奢华 2025-02-17 08:58:56

字符串串联怎么样？

WHERE Contains(p.Message, '"' + @SearchTerm + '" Near "' + @OtherSearchTerm + '"')

How about string concatenation?

WHERE Contains(p.Message, '"' + @SearchTerm + '" Near "' + @OtherSearchTerm + '"')

回复收藏 0 原文

深府石板幽径 2025-02-17 08:58:56

该答案使用Enterprise Library 5.0在VB.NET中演示了一个参数化的SQL Server全文搜索；并进一步显示了每种“对象类型”（想人，地点和事物）返回十行。

给定下表和全文索引：

CREATE TABLE [dbo].[SearchIndexes](
    [SearchIndexId] [int] IDENTITY(1,1) NOT NULL,
    [ObjectKey] [nvarchar](50) NOT NULL,
    [ObjectText] [nvarchar](4000) NOT NULL,
    [CreateDate] [datetime] NOT NULL,
    [ObjectTypeId] [int] NOT NULL,
 CONSTRAINT [PK_SearchIndexes] PRIMARY KEY CLUSTERED 
(
    [SearchIndexId] ASC
)WITH (PAD_INDEX  = OFF, STATISTICS_NORECOMPUTE  = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS  = ON, ALLOW_PAGE_LOCKS  = ON) ON [PRIMARY]
) ON [PRIMARY]

GO

CREATE FULLTEXT INDEX ON [dbo].[SearchIndexes](
[ObjectText] LANGUAGE [English])
KEY INDEX [PK_SearchIndexes] ON ([MyDbFullTextCatalog], FILEGROUP [PRIMARY])
WITH (CHANGE_TRACKING = AUTO, STOPLIST = SYSTEM)

代码：

Public Function FullTextSearch(text As String) As System.Collections.Generic.List(Of String)

  Const SqlFormat As String = "with RankCte as (select ObjectText, Row_number() over (Partition BY ObjectTypeId ORDER BY ObjectText ) AS RowNum FROM dbo.SearchIndexes where contains(ObjectText, @ObjectTextParameter)) SELECT ObjectText FROM RankCte where RowNum <= 10"
  Const ParameterFormat As String = """{0}*"""

  Dim db = Databases.MyDb

  Using command = db.GetSqlStringCommand(SqlFormat)
    Dim parameterValue = String.Format(Globalization.CultureInfo.InvariantCulture, ParameterFormat, text)
    'parameterValue should now be something like "search*" (includes the double quotes)

    db.AddInParameter(command, "ObjectTextParameter", DbType.String, parameterValue)

    Using reader = db.ExecuteReader(command)
      Dim results As New List(Of String)
      Do While reader.Read()
        results.Add(reader(0).ToString)
      Loop
      Return results
    End Using
  End Using
End Function

This answer demonstrates a parameterized SQL Server Full-Text Search in VB.NET using the Enterprise Library 5.0; and further shows returning ten rows for each "object type" (think people, places and things).

Given the following table and full-text index:

CREATE TABLE [dbo].[SearchIndexes](
    [SearchIndexId] [int] IDENTITY(1,1) NOT NULL,
    [ObjectKey] [nvarchar](50) NOT NULL,
    [ObjectText] [nvarchar](4000) NOT NULL,
    [CreateDate] [datetime] NOT NULL,
    [ObjectTypeId] [int] NOT NULL,
 CONSTRAINT [PK_SearchIndexes] PRIMARY KEY CLUSTERED 
(
    [SearchIndexId] ASC
)WITH (PAD_INDEX  = OFF, STATISTICS_NORECOMPUTE  = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS  = ON, ALLOW_PAGE_LOCKS  = ON) ON [PRIMARY]
) ON [PRIMARY]

GO

CREATE FULLTEXT INDEX ON [dbo].[SearchIndexes](
[ObjectText] LANGUAGE [English])
KEY INDEX [PK_SearchIndexes] ON ([MyDbFullTextCatalog], FILEGROUP [PRIMARY])
WITH (CHANGE_TRACKING = AUTO, STOPLIST = SYSTEM)

Code:

Public Function FullTextSearch(text As String) As System.Collections.Generic.List(Of String)

  Const SqlFormat As String = "with RankCte as (select ObjectText, Row_number() over (Partition BY ObjectTypeId ORDER BY ObjectText ) AS RowNum FROM dbo.SearchIndexes where contains(ObjectText, @ObjectTextParameter)) SELECT ObjectText FROM RankCte where RowNum <= 10"
  Const ParameterFormat As String = """{0}*"""

  Dim db = Databases.MyDb

  Using command = db.GetSqlStringCommand(SqlFormat)
    Dim parameterValue = String.Format(Globalization.CultureInfo.InvariantCulture, ParameterFormat, text)
    'parameterValue should now be something like "search*" (includes the double quotes)

    db.AddInParameter(command, "ObjectTextParameter", DbType.String, parameterValue)

    Using reader = db.ExecuteReader(command)
      Dim results As New List(Of String)
      Do While reader.Read()
        results.Add(reader(0).ToString)
      Loop
      Return results
    End Using
  End Using
End Function

回复收藏 0 原文

~没有更多了~