开发者

Parse through paramaterized string for oledb

I am using OleDB in C#/.net and do not like the way oledb does parameters with question marks:

using (OleDbConnection sqlConnect = drtevs.GetConnection())
{

OleDbCommand command.CommandText = "UPDATE NAME SET FIRST_NAME = ?, LAST_NAME = ? WHERE ID = ?;";
command.Parameters.Add(new OleDbParameter("@FIRST_NAME", txtFirst));
command.Parameters.Add(new OleDbParameter("@LAST_NAME", txtLast));
command.Parameters.Add(new OleDbParameter("@ID", 12));
command.ExecuteNonQuery();

}

The problem I see is they are not named and therefore cannot reuse them. Is there a better way to do parameters with OleDB? If someone could give me code to execute code like LINQ-TO-SQL the following way:

db.ExecuteQuery("UPDATE NAME SET FIRST_NAME = {0}, LAST_NAME = {1} WHERE ID = {2}", txtFirst, txtLast, 12);

I know the native SQL .net provider has named parameters (ex. @FIRST_NAME, @LAST_NAME) but since I am working with both SQL Server and Oracle that is not an option.

EDIT: I want to avoid SQL injection and by cleaning my parameters and also be able to insert non serializable objects like byte arrays.

All answers given so far would fail if my last name 开发者_StackOverflowwere "' DROP TABLE NAME --", additionally it would cause damage to my db


If you want to re-use the value, and you want sane queries, perhaps the moral equivalent of:

declare @id int = ?
declare @when datetime = ?
...
// some complex query involving @id and @when

Here the ? is limited to the top, and the context is clear.


We can mostly-mimic the linq-to-sql behavior. From documentation on the function:

The parameters are expressed in the query text by using the same curly notation used by Console.WriteLine() and String.Format(). In fact, String.Format() is actually called on the query string you provide, substituting the curly braced parameters with generated parameter names such as @p0, @p1 …, @p(n).

So it should be possible to derive similar code, with one caveat: since OleDb doesn't support named parameters, the behavior for multiple or out of order uses of placeholders is undefined. But we can at least get the following:

public void ExecuteQuery(string sql, params object[] parameters)
{
    //format the sql string with safe parameter names
    var paramNames = new string[parameters.Length];
    for (int i = 0; i<parameters.Length; i++)
    {
        paramNames[i] = "?";
    }
    sql = string.Format(sql, paramNames);

    using (OleDbConnection sqlConnect = drtevs.GetConnection())
    {   
        OleDbCommand command.CommandText = sql;

        foreach (int i = 0; i< parameters.Length; i++)
        {
            command.Parameters.Add(new OleDbParameter("?", parameters[i]));
        }

        command.ExecuteNonQuery();

    }
}

Note that this will not work for a query that uses the same placeholder twice, but that's because OleDb doesn't support named parameters like linq-to-sql does.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜