예제 #1
0
        /// <summary>
        /// 根据参数构建SQL条件语句(返回SQL条件语句),huhm2008
        /// </summary>
        /// <param name="sqlCmd">源sql语句:如果sqlCmd已存在参数则不追加此参数</param>
        /// <param name="dbParas">参数</param>
        /// <returns>返回SQL条件语句,无参数时返回string.empty,否则返回形如: AND UserCode=@UserCode and Password=@Password </returns>
        public static string BuildParaSqlString(string sqlCmd, DbParameter[] dbParas)
        {
            //根据参数取数据
            StringBuilder cParaWhere = new StringBuilder();

            if (dbParas != null)
            {
                foreach (DbParameter para in dbParas)
                {
                    string paraValue = para.Value == null?"":para.Value.ToString();

                    if (paraValue.IndexOf(',') < 0)
                    {
                        //构建SQL参数
                        //if (sqlCmd.IndexOf("@" + TransToColumnName(para.ParameterName) + " ", StringComparison.InvariantCultureIgnoreCase) < 0)
                        if (!Regex.IsMatch(sqlCmd + " ", "@" + TransToColumnName(para.ParameterName) + "[^0-9a-zA-Z]+", RegexOptions.IgnoreCase))
                        {
                            cParaWhere.Append(" AND " + para.ParameterName + "=@" + TransToColumnName(para.ParameterName));
                        }
                    }
                    else
                    {
                        //参数值中带有“,”则不构造参数,用SQL字符串构建
                        //检测是否为Int数组,非Int数组字符串不能添加(有安全漏洞)
                        if (FuncHelper.IsIntArrayString(paraValue))
                        {
                            cParaWhere.Append(" AND " + para.ParameterName + " IN(" + paraValue + ")");
                        }
                    }
                }
            }

            return(cParaWhere.ToString());
        }