public IHttpActionResult Post(ModelName data){
var query="Select * from Table where ColumnName ='"+data.ID+"'";
return Ok(Value);
}
In the above SQL query I want to add multiple ID's in data.ID. for an example I in one instance i need to get data for 2 ID's. in another time I need data from 20 ID's. Im using angular js to pass the json array with data. How can I do that. Do I have to write many data.Id1, data.id2 etc for all my Id data. Any help
As long as you are sanitising your inputs you can use:
var query = "Select * from Table where ColumnName in (" + list_of_ids + ")";
This will work whether you have one Id or several.
list_of_ids will have to be a comma delimited string of values:
"a, b, c, d"
so you'll need some conversion method for adding each id to the list.
You could build up an list of values:
var myList = new List<string>();
if (data.Id1 is set)
{
myList.Add(data.Id1.ToString());
}
etc.
string list_of_ids = string.Join(",", myList);
Related
I have a table with a lot of employees in it, every person has a Name column with their full name.
I then want to do a query similar to this when searching for people:
SELECT * FROM Employees WHERE Name LIKE '%' + #value1 + '%' AND Name LIKE '%' + #value2 +'%' AND so forth...
for an arbitrary array of values.
My Dapper code would look something like this:
public IEnumerable<Employee> Search(string[] words)
{
using var connection = CreateConnection();
connection.Query<Employee>("SELECT * etc.", words);
}
Is there ANY way to do this with SQL without resorting to string concatenation, and the risk of SQL Injection attacks that follows?
Caveat: I don't know how Dapper actually passes an array to the query, which limits my creative ideas for working around this :-D
And also: Changing the Table structure is, unfortunately, out of the question. And I'd rather avoid fetching every single person into .Net memory and doing the filtering there.
Is there ANY way to do this with SQL without resorting to string concatenation, and the risk of SQL Injection attacks that follows?
Because the set of where conditions is not fixed you will need to build the query dynamically. But that does not mean you cannot parameterise the query, you just build the parameter list alongside building the query. Each time a word from the list add to the condition and add a parameter.
As Dapper doesn't directly include anything that takes a collection of DbParameter, consider using ADO.NET to get an IDataReader and then Dappter's
IEnumerable<T> Parse<T>(this IDataReader reader)
for the mapping.
Such a builder would be very roughly
var n = 0;
for (criterion in cirteria) {
var cond = $"{crition.column} like #p{n}";
var p = new SqlPatameter($"#p{n}", $"%{crition.value}%";
conditions.Add(cond);
cmd.Parameters.Add(p);
}
var sql = "select whetever from table where " + String.Join(" and ", conditions);
cmd.CommandText = sql;
var reader = await cmd.ExecuteReaderAsync();
var res = reader.Parse<TResult>();
For performance reasons, it's much better to do this as a set-based operation.
You can pass through a datatable as a Table-Value Parameter, then join on that with LIKE as the condition. In this case you want all values to match, so you need a little bit of relational division.
First create your table type:
CREATE TYPE dbo.StringList AS TABLE (str varchar(100) NOT NULL);
Your SQL is as follows:
SELECT *
FROM Employees e
WHERE NOT EXISTS (SELECT 1
FROM #words w
WHERE e.Name NOT LIKE '%' + w.str + '%' ESCAPE '/' -- if you want to escape wildcards you need to add ESCAPE
);
Then you pass through the list as follows:
public IEnumerable<Employee> Search(string[] words)
{
var table = new DataTable{ Columns = {
{"str", typeof(string)},
} };
foreach (var word in words)
table.Rows.Add(SqlLikeEscape(word)); // make a function that escapes wildcards
using var connection = CreateConnection();
return connection.Query<Employee>(yourQueryHere, new
{
words = table.AsTableValuedParameter("dbo.StringList"),
});
}
I'm running the following query
cmd = new SqlCommand("SELECT * FROM addresses WHERE identifier NOT IN(#notIn)", _connector.getMsConnection());
When I view the value notIn and copy this query I get an empty result on my database (which I'm expecting). However when I'm running this code I get 6 results. The content of string notIN is for example
string notIn = "'201619011124027899693E8M2S3WOCKT9G6KHE11' ,'201619011124027899693E8M2S3WOCKT9G6KHE12'"
which combined with
SELECT *
FROM addresses
WHERE identifier NOT IN(#notIn)
Should create
SELECT *
FROM addresses
WHERE identifier NOT IN ('201619011124027899693E8M2S3WOCKT9G6KHE11',
'201619011124027899693E8M2S3WOCKT9G6KHE12' )
which runs as expected.
it should be like this:
cmd = new SqlCommand(string.Format("SELECT * FROM addresses WHERE identifier NOT IN({0})", notIn), _connector.getMsConnection());
This way the value of notIn will be concat to your string query.
Contrary to what the other answers say, concatenating the string to build the SQL is a bad idea, especially since the input values are strings. You open yourself up to SQL injection attacks.
You should be generating multiple parameters for each item in your list.
For example, if you have the input input:
var notIn = new[] { "A1", "B2", "C3" }
You'd want something like
for(var i = 0; i < notIn.Length; i++)
command.AddParamWithValue("p"+i, notIn);
And then you can build the SQL with concatenation (note that we are not concatenating an input here)
var sql = "SELECT * FROM addresses WHERE identifier NOT IN(" + string.Join(",", notIn.Select(i,v) => { "#p" + i; }) + ")";
Which then would look like:
SELECT * FROM addresses WHERE identifier NOT IN (#p0,#p1,#p2)
Alternatively, you could dump the values into a temporary table and do a join.
Note that the above is pseudocode, and may not compile verbatim, but should give you the right idea about how to procede.
It's because, you passed the #notIn as a whole string, which means, the SQL server see it as:
SELECT * FROM addresses WHERE identifier NOT IN('''201619011124027899693E8M2S3WOCKT9G6KHE11'',''201619011124027899693E8M2S3WOCKT9G6KHE12''')
So you got empty result
Try changing the "not in" to where clause and generate the where with C#:
string selectStatement = "SELECT * FROM addresses WHERE";
selectStatement += " identifier != '201619011124027899693E8M2S3WOCKT9G6KHE11' and identifier != '201619011124027899693E8M2S3WOCKT9G6KHE12'";
Or if you really want to use parameterized SQL, try doing it in stored procedure instead.
I'm converting an existing data project to Windows Phone 7. There's a method that accepts a string value and uses it as a column name to select a distinct list of values:
public static List<string> GetDistinctValues( string Field ) {
string sql = "SELECT DISTINCT [" + Field + "] FROM [MyTable]";
...
}
Converting this to Linq-to-Sql, I know how to use Distinct(), but I don't know how to dynamically set which column to query. I've tried searching and haven't found much. There are maybe a dozen different columns that may be used.
Sorry, I misunderstood your question originally.
What you are trying to do can be accomplished using Dynamic LINQ.
public static List<string> GetDistinctValues( string Field )
{
var query = db.MyTable.Select(Field).Distinct();
...
}
I want to delete multiple records from access database using array.
The array is loaded dynamically from file names.
Then i query the database, and see if the database column values are matching with the array values, if not then delete it, if matches then do not delete it.
the problem is that:
Following is the code that deletes all records irrespective of the where in Condition.
arrays = Directory.GetFiles(sdira, "*", SearchOption.AllDirectories).Select(x => Path.GetFileName(x)).ToArray();
fnames.AddRange(arrays);
here I have use also for loop but that also didnt help me out :( like for(int u = 0; u < arrays.length; u++) { oledbcommand sqlcmd = new oledbcommand ("delete from table1 where name not in ("'+arrays[u]+"')",sqlconnection);
I am using this one currently foreach(string name in arrays)
{
OleDbCommand sqlcmd = new OleDbCommand("delete from table1 where name not in ('" + name + "')", sqlconnection);
sqlcmd.ExecuteNonQuery(); }`
One problem is that your code is confusing.
string [] a = {"" 'a.jpg', 'b.jpg', 'c.jpg' "}
First, you have double " in the beginning,should only be one.
string [] a = {" 'a.jpg', 'b.jpg', 'c.jpg' "}
Then this created a string array with one element,
a[0] = "'a.jpg', 'b.jpg', 'c.jpg'";
Then you do a foreach on this which natuarly ony executes once resulting in this query:
delete from table1 where name not in ('a.jpg', 'b.jpg', 'c.jpg')
But when you load the array dynamically you probably get this array
a[0] = 'a.jpg';
a[1] = 'b.jpg';
a[1] = 'c.jpg';
which will execute 3 times in the foreach resulting in the following 3 queries
delete from table1 where name not in ('a.jpg')
delete from table1 where name not in ('b.jpg')
delete from table1 where name not in ('c.jpg')
After the second one the table will be empty.
You should try this instead:
string[] names = { "a.jpg", "b.jpg","c.jpg","j.jpg" };
string allNames = "'" + String.Join("','", names) + "'";
OleDbCommand sqlcmd = new OleDbCommand("delete from table1 where name not in (" + allNames + ")", sqlconnection);
sqlcmd.ExecuteNonQuery();
Where names is created dynamically ofcause and this will result in the following query matching your test:
delete from table1 where name not in ('a.jpg', 'b.jpg', 'c.jpg')
My preferred way to dynamically fill an array is to use a list instead as a pure array is fixed in size and any change needs to create a new array.
You can loop over a list as eacy as an array.
List<string> names = new List<string>();
//or user var keyword
var names = new List<string>();
Then just use add method to add elements, loop this as needed.
names.Add(filename);
Then for the concatenation:
string allNames = "'" + String.Join("','", names.ToArray()) + "'";
And you are done.
Or you could use
string[] filePaths = Directory.GetFiles(#"c:\MyDir\", "*.jpg");
string[] names = filePaths.ToList().ConvertAll(n => n.Substring(n.LastIndexOf(#"\") + 1)).ToArray();
posting my comment as a answer
your string is not reading in 4 entries, its reading one entry of
string names = " 'a.jpg', 'b.jpg','c.jpg','j.jpg' ";
it should be
string[] names = { "a.jpg", "b.jpg","c.jpg","j.jpg" };
before your for each had a count of 1 now it should have a count of 4 with the actual values
Edit:
Not a lot of effort in this solution i must admit but if you want dynamic input could do something like:
string name = " 'a.jpg', 'b.jpg','c.jpg','j.jpg' ";
string[] names = name.Split(',').Select(x => x.Trim(' ').Trim('\'')).ToArray();
will update later if i get the change as the trims are not good atm
For populating it, if you want it as enumerable a example could be something like
IEnumerable<string> filelocations = Directory.GetFiles(sourceDirectory, "*", SearchOption.AllDirectories).Select(x => Path.GetFileName(x));
or for string array
string [] lok = Directory.GetFiles(sourceDirectory, "*", SearchOption.AllDirectories).Select(x => Path.GetFileName(x)).ToArray();
Sounds like you're either not reading the file correctly or the file is empty. You should be checking the array to make sure it's not empty before running the operation against the database. If the array is empty, it SHOULD delete everything in the database as there are no matches.
You need to define the array like this:
string[] names = { "a.jpg", "b.jpg", "c.jpg", "j.jpg" };
the way you are defining the array it contains only one value:
" 'a.jpg', 'b.jpg','c.jpg','j.jpg' "
The code in your comment will delete any files not matching the first file. that would be all non 'a.jpg' files. The next iteration will delete all files that don't match 'b.jpg' which would be 'a.jpg'. This results in an empty table. Edit: The array declaration you have generates a good IN clause when you do it manually, but when you're getting a list of filenames, you're not generating this same string.
You need to perform a join on the array to generate a single string for your where clause that way the where clause includes all files. Your ultimate where clause should look like:
where name not in ('a.jpg','b.jpg','c.jpg','d.jpg')
Right now you have:
where name not in ('a.jpg')
... next iteration
where name not in ('b.jpg')
Also, be mindful that IN operations are expensive and the longer the array is the faster the query grows.
Try using a list if you don't want to create a static sized array
List<string> names = new List<string>();
names.Add("a.jpg");
names.Add("b.jpg");
names.Add("c.jpg");
foreach (string name in names)
{
OleDbCommand sqlcmd = new OleDbCommand("delete from table1
where name not in (" + name + ")",
sqlconnection);
sqlcmd.ExecuteNonQuery();
}
I have a string of itemIDs, and I want the gridview to use this parameter and get me the rest of the details from the item table. The problem i think is itemIDs is in varchar format and the db itemID is in int format.
because of this when the gridview page that display the item details loads i get the following error.
Well i think this is the cause for the error, correct me if im wrong!
Conversion failed when converting the varchar value ' + itemIDs + ' to data type int.
the sql query used is:
SELECT ItemID, Name, RelDate, Price, Status FROM item_k WHERE (ItemID IN (' + itemIDs + '))
itemIDs string contains values like "3,16,8"
how can I convert it to the int format? and where to place the conversion? in the sql statement?
thanks
//edit 2
ArrayList tmpArrayList = new ArrayList();
tmpArrayList = (ArrayList)Session["array"];
string itemIDs = string.Empty;
foreach (object itemID in tmpArrayList)
{
itemIDs += itemID.ToString() + ',';
}
itemIDs = itemIDs.Substring(0, itemIDs.Length - 1);
Is there any simple way to solve this problem?
I think the problem is with the ItemID column, not the itemIDs string or you have quotes around 3,16,8.
The SQL should be
SELECT ItemID, Name, RelDate, Price, Status FROM item_k
WHERE ItemID IN (3,16,8)
which is assuming ItemID is indeed an integer, and I'm guessing that it should be.
If you have the same scenario for non-integer IN clause, it would be
SELECT * FROM table
WHERE columnname IN ('Val1','VaL2')
Addition For nulls:
SELECT * FROM table
WHERE (columnname IN ('Val1','VaL2') OR columnname IS NULL)
or
SELECT * FROM table
WHERE (columnname IN ('Val1','VaL2') AND columnname IS NOT NULL)
Addition for second question: Refer to article "Join a String Using Delimiters" for multiple solutions. Also, as an aside, I would use a List<int> / List(Of Integer) (C#, vb.net respectively) instead of ArrayList if using .NET 2.0+ Framework.
See my answer from here. Essentially you pass the string of int's to a function as varchar(8000), return a table variable and join to that variable with your table. The SQL for the function is included in my answer. This works nicely with SQL Reports and with other instances where you will have a varying number of int's you wish to filter with.
I think that it is putting the literal string ' + itemIDs + ' into the query instead of appending the value of the itemIDs string to the query. It would be helpful to actually see the code where you construct the query.