我必須在C#中執行SQL Server查詢方法。場景是:SQL選擇條件與輸入變量
該方法正在接受變量爲string category
。如果category = "Heterogeneous"
值以後,我作爲選擇:
SqlCommand myCommand = con.CreateCommand();
if (simCategory == "Heterogeneous")
{
myCommand.CommandText = @"SELECT ProbabilityHeterogeneous FROM Graph
WHERE SourceID = @sourceID AND DestinationID = @destinationID";
}
else if (simCategory == "Low")
{
myCommand.CommandText = @"SELECT ProbabilityLow FROM Graph
WHERE SourceID = @sourceID AND DestinationID = @destinationID";
}
else if (simCategory == "Medium")
{
myCommand.CommandText = @"SELECT ProbabilityMedium FROM Graph
WHERE SourceID = @sourceID AND DestinationID = @destinationID";
}
else if (simCategory == "High")
{
myCommand.CommandText = @"SELECT ProbabilityHigh FROM Graph
WHERE SourceID = @sourceID AND DestinationID = @destinationID";
}
myCommand.Parameters.AddWithValue("@sourceID", sID);
myCommand.Parameters.AddWithValue("@destinationID", dID);
using (SqlDataReader myReader = myCommand.ExecuteReader())
{
while (myReader.Read())
{
inNeighborActivationProbability = Convert.ToDouble(myReader["Probability"]);
}
myReader.Close();
}
現在,是這樣事實?
你的'commandText'語句在哪兒?只需根據類別參數進行更改即可。我看不出有什麼問題。 –
@JuanCarlosOropeza我們不能把'Select @Probability ...'放在'SELECT'後面嗎?當您建議更改'commandText'時,那麼每當我們需要更改查詢時,但問題是將所有這些都放在一個查詢中? – maliks
沒有。您不能使用參數更改字段名稱。您需要根據類別更改您的commandText,然後添加參數並執行命令。但要小心,因爲如果使用一個外部字符串來構建查詢,則可以獲得sql注入。 Sql注入警告https://xkcd.com/327/ –