首页 > 代码库 > C#参数化SQL查询

C#参数化SQL查询

//写一个存储过程
ALTER PROCEDURE dbo.Infosearch        (    @bmid smallint = null,    @xm varchar(10)=null,    @xb varchar(10)=null,    @strage smallint=null,    @endage smallint=null,    @zzmm varchar(10)=null,    @xl varchar(10)=null,    @zw varchar(10)=null    )    AS    /* SET NOCOUNT ON */     declare @sql varchar(100)    if @bmid is not null    begin         set @sql= where 部门ID=+Convert(varchar(10),@bmid)    end        if @xm is not null    begin        if @sql is not null            set @sql=@sql+ and 姓名like+@xm        else set @sql= where 姓名like+@xm    end        if @xb is not null    begin         if    @sql is not null            set @sql=@sql+ and 性别=+@xb        else set @sql= where 性别=+@xb    end        if @strage is not null    begin        if @sql is not null            set @sql=@sql+ and 年龄between +Convert(varchar(10),@strage)        else set @sql= where 年龄between +Convert(varchar(10),@strage)    end        if @endage is not null    begin         set @sql=@sql+ and +Convert(varchar(10),@endage)    end        if @zzmm is not null    begin        if @sql is not null             set @sql=@sql+ and 政治面貌=+@zzmm        else set @sql= where 政治面貌=+@zzmm    end        if @xl is not null    begin        if @sql is not null            set @sql=@sql+ and 学历=+@xl        else set @sql= where 学历=+@xl    end        if @zw is not null    begin        if @sql is not null            set @sql=@sql+ and 职位=+@zw        else set @sql= where 职位=+@zw    end        exec(select 职工号,姓名,性别,年龄,学历,婚姻状况,政治面貌from yuangong+@sql)    RETURN ALTER PROCEDURE dbo.Infosearch        (    @bmid smallint = null,    @xm varchar(10)=null,    @xb varchar(10)=null,    @strage smallint=null,    @endage smallint=null,    @zzmm varchar(10)=null,    @xl varchar(10)=null,    @zw varchar(10)=null    )    AS    /* SET NOCOUNT ON */     declare @sql varchar(100)    if @bmid is not null    begin         set @sql= where 部门ID=+Convert(varchar(10),@bmid)    end        if @xm is not null    begin        if @sql is not null            set @sql=@sql+ and 姓名like+@xm        else set @sql= where 姓名like+@xm    end        if @xb is not null    begin         if    @sql is not null            set @sql=@sql+ and 性别=+@xb        else set @sql= where 性别=+@xb    end        if @strage is not null    begin        if @sql is not null            set @sql=@sql+ and 年龄between +Convert(varchar(10),@strage)        else set @sql= where 年龄between +Convert(varchar(10),@strage)    end        if @endage is not null    begin         set @sql=@sql+ and +Convert(varchar(10),@endage)    end        if @zzmm is not null    begin        if @sql is not null             set @sql=@sql+ and 政治面貌=+@zzmm        else set @sql= where 政治面貌=+@zzmm    end        if @xl is not null    begin        if @sql is not null            set @sql=@sql+ and 学历=+@xl        else set @sql= where 学历=+@xl    end        if @zw is not null    begin        if @sql is not null            set @sql=@sql+ and 职位=+@zw        else set @sql= where 职位=+@zw    end        exec(select 职工号,姓名,性别,年龄,学历,婚姻状况,政治面貌from yuangong+@sql)    RETURN //判断参数是否为空来决定怎样拼接查询语句

如果是多条件查询的话
存储过程里面就一个参数就够了

这个参数是不定条件查询语句
多条件之中判断那个是否为空 如果为空填充1=1 不为空就为条件

 public static IDataReader ExecuteReader(DbCommand comm, string sql, params object[] value)        {            comm.CommandText = sql;            if (value != null && value.Length >= 0)            {                if (comm.CommandText.IndexOf("?") == -1)                {                    string[] temp = sql.Split(@);                    for (int i = 0; i < value.Length; i++)                    {                        string pName;                        if (temp[i + 1].IndexOf(" ") > -1)                        {                            pName = "@" + temp[i + 1].Substring(0, temp[i + 1].IndexOf(" "));                        }                        else                        {                            pName = "@" + temp[i + 1];                        }                        //pName = "@p" + (i + 1).ToString();                        DbParameter p = comm.CreateParameter();                        p.DbType = DbType.String;                        p.ParameterName = pName;                        p.Value = value[i];                        comm.Parameters.Add(p);                    }                }                else                {                    string[] temp = sql.Split(?);                    for (int i = 0; i < value.Length; i++)                    {                        temp[i] = temp[i] + "@p" + (i + 1).ToString();                        string pName = "@p" + (i + 1).ToString();                        DbParameter p = comm.CreateParameter();                        p.DbType = DbType.String;                        p.ParameterName = pName;                        p.Value = value[i];                        comm.Parameters.Add(p);                    }                    StringBuilder sb = new StringBuilder();                    for (int i = 0; i < temp.Length; i++)                    {                        sb.Append(temp[i]);                    }                    comm.CommandText = sb.ToString();                }            }            if (comm.Connection.State != ConnectionState.Open)            {                comm.Connection.Open();            }            return comm.ExecuteReader(CommandBehavior.CloseConnection);        }调用的时候类似:ExecuteReaderParams(comm, "select * from xx where id=? and name=?",id,name);

 

C#参数化SQL查询