/// <summary> /// 检测是否是参数化查询SQL /// </summary> /// <param name="conn">基于的数据库连接</param> /// <param name="inputSql">执行的SQL 语句</param> ///<param name = "cmdParms" > 执行的sql 参数/param> /// <returns></returns> private bool IsValidParamedSqlQuery(DbConnection conn, string inputSql, IEnumerable<DbParameter> cmdParms) { var result = false; // MySqlConnectionStringBuilder cb = new MySqlConnectionStringBuilder( //conn.ConnectionString); // bool sqlServerMode = cb.SqlServerMode; SqlStatementTokenizer statementTokenizer = new SqlStatementTokenizer(inputSql); statementTokenizer.ReturnComments = true; statementTokenizer.SqlServerMode = true; var isParamSql = statementTokenizer.IsParamedSql(); if (isParamSql == false) { //非参数话的查询 直接返回true return true; } //如果是参数话的查询 那么检测参数 //基于参数的查询,匹配是否有参数 if (cmdParms == null || cmdParms.Count() <= 0) { throw new Exception("基于参数化查询的SQL命令,请必须提供参数!"); } //通过了检测 result = true; statementTokenizer = null; return result; }
/// <summary> /// 提取参数化查询sql 中的参数列表 /// </summary> /// <param name="inputSql"></param> /// <returns></returns> internal string GetParamSqlTokenToSqlParas(string inputSql, out string[] sqlParaToken) { string result = string.Empty; sqlParaToken = null; if (inputSql.IsNullOrEmpty()) { return(result); } SqlStatementTokenizer statementTokenizer = new SqlStatementTokenizer(inputSql); statementTokenizer.ReturnComments = true; statementTokenizer.SqlServerMode = true; var isParamSql = statementTokenizer.IsParamedSql(); if (isParamSql == false) { //非参数话的查询 直接返回true return(result); } //如果是参数话的查询 那么检测参数 var allTokens = statementTokenizer.GetAllParamedTokens(); sqlParaToken = allTokens.ToArray(); return(string.Join(",", allTokens)); }