SqlServer通用分页的调用方法

前段时间看到几个关于通用分页存储过程的SQL注入的漏洞文章，其实，这些漏洞完全都可以通过程序来弥补的。具体的做法有很多，当然，如果懒得用存储过程也可以实现类似的方法。




namespace Huangyuan.DB ...{






/**//// <summary>


/// 这个抽象类用于操作MS SQLServer数据库。


/// </summary>


/// <author>Cheney Fu</author>




public abstract class SQLServer ...{






/**//// <summary>


/// 生成分页查询SQL语句。


/// </summary>


/// <param name="currPage">当页页码</param>


/// <param name="showColumn">查询的列</param>


/// <param name="tableName">表名</param>


/// <param name="condition">查询条件（不需要加where）</param>


/// <param name="order">排序的列</param>


/// <param name="orderType">排序（0->升序1->降序）</param>


/// <param name="primaryKey">主键</param>


/// <param name="pageSize">分页大小</param>


/// <returns></returns>


public static string Pagination(int currPage, string showColumn, string tableName,


string condition, string order, int orderType, string primaryKey, int pageSize)




...{


order = replaceImmit(order);


showColumn = replaceImmit(showColumn);


tableName = replaceImmit(tableName);


condition = replaceImmit(condition);


primaryKey = replaceImmit(primaryKey);




string sqlTemp = string.Empty;


string orderByType = string.Empty;


StringBuilder query = new StringBuilder();




query.Append("select top ").Append(pageSize).Append(" ");


query.Append(showColumn).Append(" from ").Append(tableName);






if(orderType == 1) ...{ // orderType = 1 执行降序


orderByType = " order by " + order + " desc ";


sqlTemp = "<(select min";




} else ...{ // orderType = 0 执行升序


orderByType = " order by " + order + " asc ";


sqlTemp = ">(select max";


}






if(currPage == 1) ...{




if(!string.IsNullOrEmpty(condition)) ...{


query.Append(" where ").Append(condition).Append(orderByType);




} else ...{


query.Append(orderByType);


}




} else ...{




if(!string.IsNullOrEmpty(condition)) ...{


query.Append(" where ").Append(condition).Append(" and ");


query.Append(primaryKey).Append(sqlTemp).Append("(");


query.Append(primaryKey).Append(") from (select top ");


query.Append((currPage - 1) * pageSize).Append(" ");


query.Append(primaryKey).Append(" from ").Append(tableName);


query.Append(orderByType).Append(") as TABTEMP)");


query.Append(orderByType);




} else ...{


query.Append(" where ").Append(primaryKey).Append(sqlTemp);


query.Append("(").Append(primaryKey).Append(")");


query.Append(" from (select top ").Append((currPage - 1) * pageSize);


query.Append(" ").Append(primaryKey).Append(" from ");


query.Append(tableName).Append(orderByType).Append(") as TABTEMP)");


query.Append(orderByType);


}


}


return query.ToString();


}




// 检查SQL中是否有非法SQL操作




private static string replaceImmit(string source) ...{


source = source.Replace("'", "''");


source = source.ToLower().Replace("insert into ", "");


source = source.ToLower().Replace("insert ", "");


source = source.ToLower().Replace("update ", "");


source = source.ToLower().Replace("delete from ", "");


source = source.ToLower().Replace("delete ", "");


source = source.ToLower().Replace("drop table ", "");


source = source.ToLower().Replace("drop database ", "");


return source;


}


}


}

调用方法很简单，只要传入相应的参数即可获得所要查询的记录集合。

表：Users 字段：UserId(bigint), Username(varchar(20)), UserPassword(varchar(50)), Email(varchar(50)), AppendDate(datetime)

下面的代码中只需要传入当前页，即可获得该页的集合。。。。。是不是很方便呢？当然，如果需要的话，可以将排序的也放在参数中传入。




public IList<User> GetUsers(int currPage) ...{




using(SqlConnection con = new SqlConnection(ConnectionString)) ...{


string query = SQLServer.Pagination(currPage, "*", "Users", "", "UserId", 1, "UserId", 30);


SqlCommand command = new SqlCommand();


command.Connection = con;


command.CommandText = query;




using(SqlDataReader reader = command.ExecuteReader()) ...{




while(reader.Read()) ...{


// 这里的代码示应用逻辑而定了。


// 不过我喜欢2.0的IList<> 范型集合接口


}


}


}


}