1. 首頁
  2. 問答
  3. 參數化SQL查詢語法

參數化SQL查詢語法

2017-08-17 109 views
0

我理解參數化SQL查詢的方式是避免轉義字符錯誤的方法。但我仍然遇到這個問題。參數化SQL查詢語法

try { 
    Import-Module ActiveDirectory 

    $abc = Get-ADUser -ResultSetSize 9998 -Properties employeeid,samaccountname,Department,physicalDeliveryOfficeName,mail,useraccountcontrol,telephonenumber,cn,title,mobile,company,description,manager 

    $connection = New-Object System.Data.SqlClient.SqlConnection 
    $connection.ConnectionString = "server=server.local;database=db;trusted_connection=true;" 
    $connection.Open() 

    $command = New-Object System.Data.SQLClient.SQLCommand 
    $command.Connection = $connection 

    #$command.Parameters.Add((New-Object Data.SqlClient.SqlParameter("@department",[Data.SQLDBType]::VarChar, 250))) 
    #$command.Parameters.Add((New-Object Data.SqlClient.SqlParameter("@physicalDeliveryOfficeName",[Data.SQLDBType]::VarChar, 200))) 

    foreach ($user in $abc) { 
     $command.Parameters.Add((New-Object Data.SqlClient.SqlParameter("@physicalDeliveryOfficeName",[Data.SQLDBType]::VarChar, 200))).value = $user.physicalDeliveryOfficeName 
     $command.Parameters.Add((New-Object Data.SqlClient.SqlParameter("@department",[Data.SQLDBType]::VarChar, 250))).value = $user.Department 
     #$command.Parameters['@department'].value = $user.Department 
     #$command.Parameters['@physicalDeliveryOfficeName'].value = $user.physicalDeliveryOfficeName 

     #if (!$user.department)     { $Command.Parameters['@department'].value = [System.DBNull]::Value } 
     #if (!$user.physicalDeliveryOfficeName) { $Command.Parameters['@physicalDeliveryOfficeName'].value = [System.DBNull]::Value } 

     $insert = "INSERT INTO [Database].[ad].[UserAccountsT] (employeeid,samaccountname,distinguishedName,givenname,sn,title,department,physicaldeliveryofficename,email,telephoneNumber,mobile,company,description,useraccountcontrol,cn,manager) VALUES('{0}','{1}','{2}','{3}','{4}','{5}','{6}','{7}','{8}','{9}','{10}','{11}','{12}','{13}','{14}','{15}')" -f $user.employeeid,$user.samaccountname,$user.DistinguishedName,$user.GivenName,$user.Surname,$user.title,$user.Department,$user.physicalDeliveryOfficeName,$user.mail,$user.telephonenumber,$user.mobile,$user.company,$user.description,$user.userAccountControl,$user.cn,$user.manager 
     $command.CommandText = $insert 
     $command.ExecuteNonQuery() > $null 
     $command.Parameters.Clear() 
    } 
} catch { 
    Write-Host Everything goes wrong at $_ for $user at $user.physicalDeliveryOfficeName $user.Department !!! 
} finally { 
    $connection.Close() 
}

但是,當有在名稱中'我仍然得到一個錯誤:

Exception calling "ExecuteNonQuery" with "0" argument(s): "Incorrect syntax near 's'.

$user.physicalDeliveryOfficeName值是 「公園的avonds」。

來源

2017-08-17 Andry

+0

作爲一個側面說明:惡補儘可能到一個單一的語句使你的代碼更難閱讀和調試。我*強烈*建議你抵制誘惑。 –

+0

答案不夠,但沒有正確使用參數。將參數添加到命令中,但是然後使用格式字符串將字符串文字插入到'$ insert'中。你應該做更像'insert into(field)values(@field_param)'的事情。 – Patrick87

回答

0

根本沒有使用準備語句(參數化查詢)。使用格式運算符將字符串插入字符串模板與通過串聯構建語句沒有區別。

您的代碼應該看起來有點像這樣:

$command = New-Object Data.SQLClient.SQLCommand 
$command.Connection = $connection 
$command.CommandText = 'INSERT INTO [table] (field1, field2) VALUES (@foo, @bar)' 

foreach ($user in $abc) { 
    $command.Parameters.Add((New-Object Data.SqlClient.SqlParameter('@foo', [Data.SQLDBType]::VarChar, 200))).Value = $user.physicalDeliveryOfficeName 
    $command.Parameters.Add((New-Object Data.SqlClient.SqlParameter('@bar', [Data.SQLDBType]::VarChar, 250))).Value = $user.Department 

    $command.Prepare() 
    $command.ExecuteNonQuery() | Out-Null 
    $command.Parameters.Clear() 
}

來源

2017-08-17 14:02:34

相關問題

 相關問題