--网上提供各种exec动态执行的写法不利于复杂语句处理,针对in问题参数化防注入处理
方法1、(缺陷:in仅支持256)
var sql ="select * from tb where 1=1 "; var param = new Dictionary<string, object>(); var productids = productid.Split(','); if (productids.Length > 1) { var paramList = new List<string>(); for (int i = 0; i < productids.Length; i++) { var param1 = "@productid_" + i; paramList.Add(param1); param.Add(param1, productids[i]); } sql += string.Format(" and new_partsid in ({0}) ", string.Join(",", paramList)); } else { sql += " and new_partsid=@productid"; param.Add("@productid", productid); } var dt=Db.Query(sql, param);
方法2、SELECT -- UNION ALL 参数化与方法1类似,可以无限制的解决方法1数量限制问题