微信公众号搜"智元新知"关注
微信扫一扫可直接关注哦!

根据过滤条件生成动态 SQL 查询

分类:编程问答

如何解决根据过滤条件生成动态 SQL 查询

我们要求客户可以根据特定条件过滤记录。

以下是我在控制器中获得的示例过滤条件

[
   {
      "Field":"BANKNAME","Operator":"=","Value":"35","Conditionoperator":"OR","DField":"N"
   },{
      "Field":"BANKNAME","Value":"15","Conditionoperator":"AND",{
      "Field":"PTLOCATION","Value":"261","Conditionoperator":" ","DField":"Y"
   ]

我们根据过滤条件生成SQL查询,下面是我们尝试过的代码

var FilterCondition = JsonConvert.DeserializeObject<List<RptFilterCondition>>(filter);
string filterCondition = string.Empty;
var lstFilterCondition = FilterCondition.Where(a => a.DField == "N").ToList();
for (int i = 0; i < lstFilterCondition.Count; i++)
{
    if (i == 0 && FilterCondition.Count == 1)
    {
        filterCondition += " custom.CustomeFieldName ='" + lstFilterCondition[i].Field + "' and custom.FIELDVALUE " + lstFilterCondition[i].Operator + "'" + lstFilterCondition[i].Value + "' ";
    }
    else if (i == 0 && !isanycondition)
    {
        filterCondition += " (custom.CustomeFieldName ='" + lstFilterCondition[i].Field + "' and custom.FIELDVALUE " + lstFilterCondition[i].Operator + "'" + lstFilterCondition[i].Value + "' )" + lstFilterCondition[i].Conditionoperator;
    }
    else if (i == FilterCondition.Count - 1)
    {
        filterCondition += " (custom.CustomeFieldName='" + lstFilterCondition[i].Field + "'  and custom.FIELDVALUE " + lstFilterCondition[i].Operator + "'" + lstFilterCondition[i].Value + "' )";
    }
    else
    {
        filterCondition += " (custom.CustomeFieldName='" + lstFilterCondition[i].Field + "'  and custom.FIELDVALUE" + lstFilterCondition[i].Operator + "'" + lstFilterCondition[i].Value + "' )" + lstFilterCondition[i].Conditionoperator;
    }
}

return filterCondition;

下面是生成的过滤条件

(custom.CustomeFieldName ='BANKNAME' and custom.FIELDVALUE ='35') OR 
(custom.CustomeFieldName='BANKNAME'  and custom.FIELDVALUE='15')
and (PTLOCATION = 261)

下面是预期的输出圆括号应该来自相同的字段名称

((custom.CustomeFieldName ='BANKNAME' and custom.FIELDVALUE ='35') OR 
(custom.CustomeFieldName='BANKNAME'  and custom.FIELDVALUE='15'))
and (PTLOCATION = 261)

解决方法

如评论中所述,该代码易受 SQL 注入攻击。

另一种选择是使用 ORM,例如EF 并编写您自己的“引擎”以从自定义查询模型转换为 LINQ - https://docs.microsoft.com/en-us/ef/core/querying/

更简单的选择可能是使用 OData,它支持用户定义的开箱即用查询,并连接到 EF - https://docs.microsoft.com/en-us/odata/webapi/getting-startedhttps://docs.microsoft.com/en-us/odata/client/query-options

版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。

苹果市值2025年有望达4万亿美元
pythonJavaScriptjavaHTMLPHPreactjsC#AndroidCSSNode.jssqlrpython-3.xMysqLjQueryc++pandasFlutterangularIOSdjangolinuxswifttypescript路由器JSON路由器设置无线路由器h3c华三华三路由器设置华三路由器电脑软件教程arraysdocker软件图文教程Cvue.jslaravelspring-boot