我有一个项目,在SQL查询中没有使用任何参数。有没有什么解决方案可以让我不必更改函数和验证查询字符串本身的参数?
Query = "select * from tbl_Users where userName='"& textbox1.text &"' and password='"& textbox2.text &"' "
ds = obj.ExecuteQueryReturnDS(Query)
传递查询的函数:
Public Function ExecuteQueryReturnDS(ByVal stQuery As String) As DataSet
Try
Dim ds As New DataSet
Using sqlCon As New SqlConnection(connStr)
Dim sqlCmd As New SqlCommand(stQuery, sqlCon)
Dim sqlAda As New SqlDataAdapter(sqlCmd)
sqlCmd.CommandType = CommandType.Text
sqlAda.Fill(ds)
End Using
Return ds
Catch ex As Exception
End Try
End Function
我尝试将参数传递到函数中,但该函数也用于其他查询,因此我无法在函数中定义参数。
是否有任何关于的工作
我认为唯一的解决方案是创建一个新函数并逐渐迁移到它
Public Function ExecuteQueryReturnDS(ByVal cmdQuery As SqlCommand) As DataSet
Try
Dim ds As New DataSet
Using sqlCon As New SqlConnection(connStr)
cmdQuery.Connection = sqlCon
Dim sqlAda As New SqlDataAdapter(cmdQuery)
sqlAda.Fill(ds)
End Using
Return ds
Catch ex As Exception
End Try
End Function
cmdQuery
旨在成为SqlCommand
,您已经向其添加了所需的所有参数。
作为切换到完全参数化应用程序之前的中间步骤,您可以更改实际方法以接收可选参数。此可选参数将是在调用此查询时定义的SqlParameter数组
Public Function ExecuteQueryReturnDS(ByVal stQuery As String, Optional ByVal prms As SqlParameter() = Nothing) As DataSet
Try
Dim ds As New DataSet
Using sqlCon As New SqlConnection(connStr)
Dim sqlCmd As New SqlCommand(stQuery, sqlCon)
if Not prms Is Nothing Then
sqlCmd.Parameters.AddRange(prms)
End if
Dim sqlAda As New SqlDataAdapter(sqlCmd)
sqlCmd.CommandType = CommandType.Text
sqlAda.Fill(ds)
End Using
Return ds
Catch ex As Exception
End Try
End Function