问题
I am having trouble with the following query. It works when I execute it directly from WebMatrix with static parameters and returns a few rows, but not from my .cshtml page
var accounts = database.Query(
@"SELECT Username, Email, row_count
FROM (SELECT Username, Email, Count(0) OVER() as row_count, ROW_NUMBER() OVER(ORDER BY @0 DESC) as row_number
FROM UserProfile
WHERE Username LIKE %@1% AND Email LIKE %@2%) as accounts
WHERE row_number BETWEEN @3 AND @4",
new object[] { sort, username, email, start, end });
When I replace the LIKE parameters @1 and @2 with static values it works, but it does not ORDER BY parameter @0
回答1:
Use this in your sql:
LIKE '%' + @1 + '%'
回答2:
This is because @0 is being evaluated by the query as the literal value of the parameter, rather than the name of the table column - eg. if @0 is 'Username', the relevant part of the query is treated as being ROW_NUMBER() OVER(ORDER BY 'Username' DESC), not ROW_NUMBER() OVER(ORDER BY Username DESC).
The row number is therefore always evaluated as 1.
The solution is therefore to insert the value of @0 into the query string, not to treat it as a bind parameter. (This approach is generally deprecated due to the risk of SQL insertion attacks, but given that you should be able to guarantee the available values of @0 will be valid, it should be appropriate in this case.)
EDIT: An alternative approach - instead of using dynamic SQL, if you are unable to guarantee that @0 will be properly sanitised then you could use a case clause instead:
var accounts = database.Query(
@"SELECT Username, Email, row_count FROM
(SELECT Username,
Email,
Count(0) OVER() as row_count,
ROW_NUMBER() OVER(ORDER BY row_group DESC) as row_number
FROM (SELECT Username,
Email,
CASE @0
WHEN 'Username' THEN Username
WHEN 'Email' THEN Email
/* insert other valid cases here */
END as row_group
FROM UserProfile
WHERE Username LIKE '%'+@1+'%' AND Email LIKE '%'+@2+'%') u
) as accounts
WHERE row_number BETWEEN @3 AND @4",
new object[] { sort, username, email, start, end });
回答3:
I'm not familiar with webMatrix syntax; but logically it seems to me the dbengine doesn't understand the variables %@1% and %@2% try using string concatenation to have the value of the variable passed instead of the variable.
So...
WHERE USERname like %" & @1 & "% AND Email like %" & @2 & "%) as accounts
回答4:
My Problem
I am using ASP.NET Webpages and am having a similar issue wher I am using Database.Query() to execute a SQL SELECT statement using a LIKE clause.
My Solution
Here is a snippet of code that shows how I resolved my issue:
qString = @"
Select *
From
[Product]
Where Lastname like @0
Order By LastName";
using (var db = Database.Open("StarterSite"))
{
data = db.Query(qString, "%" + searchTxt + "%");
}
来源:https://stackoverflow.com/questions/8215246/webmatrix-sql-like