OdbcCommand怎么写关于“IN”操作符的参数化SQL命令
大家知道为了防止SQL注入式攻击,在查询数据库的时候最好用ADODB.Command创建参数化的SQL查询语句比如
OdbcConnection oConn = new OdbcConnection(this.dsn);
oConn.Open();
string sqltext = "SELECT * FROM user WHERE id = ?";
OdbcCommand oCmd = new OdbcCommand(sqltext, oConn);
oCmd.Parameters.Add("UserId", OdbcType.Int).Value = 888;
OdbcDataReader oDr = oCmd.ExecuteReader();
但是有个问题来了,我想用SQL的In操作符
比如这样的SQL语句:SELECT * FROM user WHERE id IN (777, 888, 999)
我就不知道怎么写参数化命令了
我写成下面这样也不对
string sqltext = "SELECT * FROM user WHERE id IN (?)";
OdbcCommand oCmd = new OdbcCommand(sqltext, oConn);
oCmd.Parameters.Add("UserId", OdbcType.Int).Value = "777,888,999";
希望大侠帮帮忙
--------------------编程问答-------------------- string sqltext = "SELECT * FROM user WHERE id IN (@UserId)";
OdbcCommand oCmd = new OdbcCommand(sqltext, oConn);
oCmd.Parameters.Add("@UserId", OdbcType.Int).Value = "777,888,999"; --------------------编程问答-------------------- 大侠,上面的方法不行,不光要将@UserId改回成?号,而且最后一行提示“将参数值从 String 转换到 Int32 失败” --------------------编程问答-------------------- http://www.cnblogs.com/lzrabbit/archive/2012/04/22/2465313.html
--------------------编程问答-------------------- oCmd.Parameters.Add("@UserId", OdbcType.Int).Value = "777,888,999";
明显不是OdbcType.Int类型的
补充:.NET技术 , C#