zoukankan      html  css  js  c++  java
  • sql模糊匹配中%、_的处理

    防sql注入之模糊匹配中%、_处理:

            StringBuilder sbSql = new StringBuilder();
                 sbSql.Append(@"SELECT * from tablename t where 1 = 1 ");     
                 string name = dictparameters["Name"].ToString();    //Name参数值
                    if(name.Contains("%") || name.Contains("_"))
                    {
                        name = name.Replace("%", "/%").Replace("_", "/_");
                        sbSql.AppendFormat(@" AND t.Name like '%{0}%' ESCAPE '/'", name);
                    }
                    else
                    {
                        sbSql.AppendFormat(@" AND t.Name like '%{0}%'", name);
                    }

     上述采用的是拼接字符串,现改为参数化,防止sql注入:

           StringBuilder sbSql = new StringBuilder();
                sbSql.Append(@"SELECT * from tablename t where 1 = 1 ");
                string name = dictparameters["Name"].ToString();    //Name参数值
                if (name.Contains("%") || name.Contains("_"))
                {
                    name = name.Replace("%", "/%").Replace("_", "/_");
                    sbSql.Append(@" AND t.Name like '%' + @Name+ '%' + ESCAPE '/'");
                }
                else
                {
                    sbSql.Append(@" AND t.Name like '%' + @Name+ '%'");
                }
  • 相关阅读:
    被刷登录接口
    移动端布局方案
    容易遗忘的Javascript点
    java 笔记02
    java 笔记01
    C# 日常整理
    reac-native 0.61开发环境
    DOS命令收集
    vue整理日常。
    php7.1+apache2.4.x+mysql5.7安装配置(目前windows)
  • 原文地址:https://www.cnblogs.com/guokun/p/5843865.html
Copyright © 2011-2022 走看看