SqlServer通用分页的调用方法
2007-05-26 18:12
274 查看
前段时间看到几个关于通用分页存储过程的SQL注入的漏洞文章,其实,这些漏洞完全都可以通过程序来弥补的。具体的做法有很多,当然,如果懒得用存储过程也可以实现类似的方法。
namespace Huangyuan.DB ...{
/**//// <summary>
/// 这个抽象类用于操作MS SQLServer数据库。
/// </summary>
/// <author>Cheney Fu</author>
public abstract class SQLServer ...{
/**//// <summary>
/// 生成分页查询SQL语句。
/// </summary>
/// <param name="currPage">当页页码</param>
/// <param name="showColumn">查询的列</param>
/// <param name="tableName">表名</param>
/// <param name="condition">查询条件(不需要加where)</param>
/// <param name="order">排序的列</param>
/// <param name="orderType">排序(0->升序1->降序)</param>
/// <param name="primaryKey">主键</param>
/// <param name="pageSize">分页大小</param>
/// <returns></returns>
public static string Pagination(int currPage, string showColumn, string tableName,
string condition, string order, int orderType, string primaryKey, int pageSize)
...{
order = replaceImmit(order);
showColumn = replaceImmit(showColumn);
tableName = replaceImmit(tableName);
condition = replaceImmit(condition);
primaryKey = replaceImmit(primaryKey);
string sqlTemp = string.Empty;
string orderByType = string.Empty;
StringBuilder query = new StringBuilder();
query.Append("select top ").Append(pageSize).Append(" ");
query.Append(showColumn).Append(" from ").Append(tableName);
if(orderType == 1) ...{ // orderType = 1 执行降序
orderByType = " order by " + order + " desc ";
sqlTemp = "<(select min";
} else ...{ // orderType = 0 执行升序
orderByType = " order by " + order + " asc ";
sqlTemp = ">(select max";
}
if(currPage == 1) ...{
if(!string.IsNullOrEmpty(condition)) ...{
query.Append(" where ").Append(condition).Append(orderByType);
} else ...{
query.Append(orderByType);
}
} else ...{
if(!string.IsNullOrEmpty(condition)) ...{
query.Append(" where ").Append(condition).Append(" and ");
query.Append(primaryKey).Append(sqlTemp).Append("(");
query.Append(primaryKey).Append(") from (select top ");
query.Append((currPage - 1) * pageSize).Append(" ");
query.Append(primaryKey).Append(" from ").Append(tableName);
query.Append(orderByType).Append(") as TABTEMP)");
query.Append(orderByType);
} else ...{
query.Append(" where ").Append(primaryKey).Append(sqlTemp);
query.Append("(").Append(primaryKey).Append(")");
query.Append(" from (select top ").Append((currPage - 1) * pageSize);
query.Append(" ").Append(primaryKey).Append(" from ");
query.Append(tableName).Append(orderByType).Append(") as TABTEMP)");
query.Append(orderByType);
}
}
return query.ToString();
}
// 检查SQL中是否有非法SQL操作
private static string replaceImmit(string source) ...{
source = source.Replace("'", "''");
source = source.ToLower().Replace("insert into ", "");
source = source.ToLower().Replace("insert ", "");
source = source.ToLower().Replace("update ", "");
source = source.ToLower().Replace("delete from ", "");
source = source.ToLower().Replace("delete ", "");
source = source.ToLower().Replace("drop table ", "");
source = source.ToLower().Replace("drop database ", "");
return source;
}
}
}
调用方法很简单,只要传入相应的参数即可获得所要查询的记录集合。
表:Users 字段:UserId(bigint), Username(varchar(20)), UserPassword(varchar(50)), Email(varchar(50)), AppendDate(datetime)
下面的代码中只需要传入当前页,即可获得该页的集合。。。。。是不是很方便呢?当然,如果需要的话,可以将排序的也放在参数中传入。
public IList<User> GetUsers(int currPage) ...{
using(SqlConnection con = new SqlConnection(ConnectionString)) ...{
string query = SQLServer.Pagination(currPage, "*", "Users", "", "UserId", 1, "UserId", 30);
SqlCommand command = new SqlCommand();
command.Connection = con;
command.CommandText = query;
using(SqlDataReader reader = command.ExecuteReader()) ...{
while(reader.Read()) ...{
// 这里的代码示应用逻辑而定了。
// 不过我喜欢2.0的IList<> 范型集合接口
}
}
}
}
namespace Huangyuan.DB ...{
/**//// <summary>
/// 这个抽象类用于操作MS SQLServer数据库。
/// </summary>
/// <author>Cheney Fu</author>
public abstract class SQLServer ...{
/**//// <summary>
/// 生成分页查询SQL语句。
/// </summary>
/// <param name="currPage">当页页码</param>
/// <param name="showColumn">查询的列</param>
/// <param name="tableName">表名</param>
/// <param name="condition">查询条件(不需要加where)</param>
/// <param name="order">排序的列</param>
/// <param name="orderType">排序(0->升序1->降序)</param>
/// <param name="primaryKey">主键</param>
/// <param name="pageSize">分页大小</param>
/// <returns></returns>
public static string Pagination(int currPage, string showColumn, string tableName,
string condition, string order, int orderType, string primaryKey, int pageSize)
...{
order = replaceImmit(order);
showColumn = replaceImmit(showColumn);
tableName = replaceImmit(tableName);
condition = replaceImmit(condition);
primaryKey = replaceImmit(primaryKey);
string sqlTemp = string.Empty;
string orderByType = string.Empty;
StringBuilder query = new StringBuilder();
query.Append("select top ").Append(pageSize).Append(" ");
query.Append(showColumn).Append(" from ").Append(tableName);
if(orderType == 1) ...{ // orderType = 1 执行降序
orderByType = " order by " + order + " desc ";
sqlTemp = "<(select min";
} else ...{ // orderType = 0 执行升序
orderByType = " order by " + order + " asc ";
sqlTemp = ">(select max";
}
if(currPage == 1) ...{
if(!string.IsNullOrEmpty(condition)) ...{
query.Append(" where ").Append(condition).Append(orderByType);
} else ...{
query.Append(orderByType);
}
} else ...{
if(!string.IsNullOrEmpty(condition)) ...{
query.Append(" where ").Append(condition).Append(" and ");
query.Append(primaryKey).Append(sqlTemp).Append("(");
query.Append(primaryKey).Append(") from (select top ");
query.Append((currPage - 1) * pageSize).Append(" ");
query.Append(primaryKey).Append(" from ").Append(tableName);
query.Append(orderByType).Append(") as TABTEMP)");
query.Append(orderByType);
} else ...{
query.Append(" where ").Append(primaryKey).Append(sqlTemp);
query.Append("(").Append(primaryKey).Append(")");
query.Append(" from (select top ").Append((currPage - 1) * pageSize);
query.Append(" ").Append(primaryKey).Append(" from ");
query.Append(tableName).Append(orderByType).Append(") as TABTEMP)");
query.Append(orderByType);
}
}
return query.ToString();
}
// 检查SQL中是否有非法SQL操作
private static string replaceImmit(string source) ...{
source = source.Replace("'", "''");
source = source.ToLower().Replace("insert into ", "");
source = source.ToLower().Replace("insert ", "");
source = source.ToLower().Replace("update ", "");
source = source.ToLower().Replace("delete from ", "");
source = source.ToLower().Replace("delete ", "");
source = source.ToLower().Replace("drop table ", "");
source = source.ToLower().Replace("drop database ", "");
return source;
}
}
}
调用方法很简单,只要传入相应的参数即可获得所要查询的记录集合。
表:Users 字段:UserId(bigint), Username(varchar(20)), UserPassword(varchar(50)), Email(varchar(50)), AppendDate(datetime)
下面的代码中只需要传入当前页,即可获得该页的集合。。。。。是不是很方便呢?当然,如果需要的话,可以将排序的也放在参数中传入。
public IList<User> GetUsers(int currPage) ...{
using(SqlConnection con = new SqlConnection(ConnectionString)) ...{
string query = SQLServer.Pagination(currPage, "*", "Users", "", "UserId", 1, "UserId", 30);
SqlCommand command = new SqlCommand();
command.Connection = con;
command.CommandText = query;
using(SqlDataReader reader = command.ExecuteReader()) ...{
while(reader.Read()) ...{
// 这里的代码示应用逻辑而定了。
// 不过我喜欢2.0的IList<> 范型集合接口
}
}
}
}
相关文章推荐
- 通用带分页的sql2000存储过程和asp调用方法
- 通用SQL存储过程分页以及asp.net后台调用的方法
- 【转】最通用的分页存储过程SqlServer
- 通用分页存储过程注入问题解决方案:不用存储过程,通用分页查询方法
- 一个通用的分页存储过程实现-SqlServer(附上sql源码,一键执行即刻搭建运行环境)
- sqlserver,获取调用存储过程返回数据的方法。
- Lambda动态排序分页通用方法
- [转载]VC调用存储过程的通用方法(SQLServer篇)
- MySQL、SqlServer、Oracle三大主流数据库实现分页查询的方法
- VC调用存储过程的通用方法(SQLServer篇)
- 通用存储过程调用方法
- SqlServer常用分页方法
- Datatable分页通用方法
- sqlserver 分页的方法
- dede调用其他栏目的文章或者缩略图列表且有分页效果的方法
- SQLServer 中存储过程返回的三种方式( 包括存储过程的创建, 在存储过程中调用, 在VS中调用的方法)
- PHP:微信小程序调用【统一下单】【微信支付】【支付回调】API;XML转Array,Array转XML方法(通用)
- App_code内Common类通用方法调用
- C#中的类SqlCommand对象使用方法ExecuteNonQuery()调用SQLServer存储过程时,存储过程执行成功,数据发生改变,但是返回-1