/// <summary>
/// 根据参数构建SQL条件语句(返回SQL条件语句),huhm2008
/// </summary>
/// <param name="sqlCmd">源sql语句:如果sqlCmd已存在参数则不追加此参数</param>
/// <param name="dbParas">参数</param>
/// <returns>返回SQL条件语句,无参数时返回string.empty,否则返回形如: AND UserCode=@UserCode and Password=@Password </returns>
public static string BuildParaSqlString(string sqlCmd, DbParameter[] dbParas)
{
//根据参数取数据
StringBuilder cParaWhere = new StringBuilder();
if (dbParas != null)
{
foreach (DbParameter para in dbParas)
{
string paraValue = para.Value == null?"":para.Value.ToString();
if (paraValue.IndexOf(',') < 0)
{
//构建SQL参数
//if (sqlCmd.IndexOf("@" + TransToColumnName(para.ParameterName) + " ", StringComparison.InvariantCultureIgnoreCase) < 0)
if (!Regex.IsMatch(sqlCmd + " ", "@" + TransToColumnName(para.ParameterName) + "[^0-9a-zA-Z]+", RegexOptions.IgnoreCase))
{
cParaWhere.Append(" AND " + para.ParameterName + "=@" + TransToColumnName(para.ParameterName));
}
}
else
{
//参数值中带有“,”则不构造参数,用SQL字符串构建
//检测是否为Int数组,非Int数组字符串不能添加(有安全漏洞)
if (FuncHelper.IsIntArrayString(paraValue))
{
cParaWhere.Append(" AND " + para.ParameterName + " IN(" + paraValue + ")");
}
}
}
}
return(cParaWhere.ToString());
}