根据实体类生成查询安全版

   public static IList<SqlParameter> GetParas<T>(T t, out string where)

    {

        StringBuilder sb = new StringBuilder();

        List<SqlParameter> paras = new List<SqlParameter>();

 

        Type type = typeof(T);

 

        foreach (var item in type.GetProperties())

        {

            object value = item.GetValue(t, null);

            if (value == null)

            {

                continue;

            }

 

            if (value.GetType() == typeof(string))

            {

                string s = "%" + (string)value + "%";

                if (!string.IsNullOrEmpty(s))

                {

 

                    if (Regex.IsMatch(item.Name, "id", RegexOptions.IgnoreCase))

                    {

                        paras.Add(new SqlParameter(string.Format("@{0}", item.Name), value));

                        sb.AppendFormat(" AND {0} = @{0}", item.Name);

                    }

                    else

                    {

                        paras.Add(new SqlParameter(string.Format("@{0}", item.Name), s));

                        sb.AppendFormat(" AND {0} LIKE @{0}", item.Name);

                    }

                }

            }

            else

            {

                paras.Add(new SqlParameter(string.Format("@{0}", item.Name), value));

                if (Regex.IsMatch(item.Name, "from$", RegexOptions.IgnoreCase))

                {

                    sb.AppendFormat(" AND {0} >= @{0}", item.Name);

                }

                else if (Regex.IsMatch(item.Name, "to$", RegexOptions.IgnoreCase))

                {

                    sb.AppendFormat(" AND {0} <= @{0}", item.Name);

                }

                else

                    sb.AppendFormat(" AND {0} = @{0}", item.Name);

            }

        }

        where = sb.ToString();

        return paras;

    }

posted @ 2009-06-25 23:48  zeus2  Views(308)  Comments(1Edit  收藏  举报