根据实体类生成查询安全版
public static IList<SqlParameter> GetParas<T>(T t, out string where)
{
StringBuilder sb = new StringBuilder();
List<SqlParameter> paras = new List<SqlParameter>();
Type type = typeof(T);
foreach (var item in type.GetProperties())
{
object value = item.GetValue(t, null);
if (value == null)
{
continue;
}
if (value.GetType() == typeof(string))
{
string s = "%" + (string)value + "%";
if (!string.IsNullOrEmpty(s))
{
if (Regex.IsMatch(item.Name, "id", RegexOptions.IgnoreCase))
{
paras.Add(new SqlParameter(string.Format("@{0}", item.Name), value));
sb.AppendFormat(" AND {0} = @{0}", item.Name);
}
else
{
paras.Add(new SqlParameter(string.Format("@{0}", item.Name), s));
sb.AppendFormat(" AND {0} LIKE @{0}", item.Name);
}
}
}
else
{
paras.Add(new SqlParameter(string.Format("@{0}", item.Name), value));
if (Regex.IsMatch(item.Name, "from$", RegexOptions.IgnoreCase))
{
sb.AppendFormat(" AND {0} >= @{0}", item.Name);
}
else if (Regex.IsMatch(item.Name, "to$", RegexOptions.IgnoreCase))
{
sb.AppendFormat(" AND {0} <= @{0}", item.Name);
}
else
sb.AppendFormat(" AND {0} = @{0}", item.Name);
}
}
where = sb.ToString();
return paras;
}