参数化解决sql注入

用DynamicParameters:

string where = " where a.is_deleted=0 and a.bvent_id=@bventId and au.user_type=0  and au.attendee_type=0 ";

            var dyParam = new DynamicParameters();
            dyParam.Add("@bventId", query.BventId);
if (query.Ids != null && query.Ids.Any())
            {
                var ids = string.Join(",", query.Ids);
                where += $" and a.id in @ids ";

                dyParam.Add("@ids", ids);
            }
            
            if (query.SearchType == SearchType.Simple)
            {
                // 简单搜索
                if (!string.IsNullOrWhiteSpace(query.SimpleSearchValue))
                {
                    where += $" and (a.full_name like @keyword or a.mobile like @keyword or a.email like  @keyword )";            
                    dyParam.Add("@keyword", $"%{query.SimpleSearchValue}%");
                }
            }var guests = await _dapperAsyncExecutor.QueryAsync<GuestViewModel>($"{sql} {where}".AsPaginatedSql(pageIndex, pageSize), dyParam);

 

posted @ 2019-07-19 11:36  月下之神  阅读(976)  评论(0)    收藏  举报