我用的是下面的方法
http://www.cnblogs.com/zm235/archive/2006/11/15/561595.html现在问题是.存储过程规定了几个参数.如页大小.表名等等.可是我现在还想传条件参数进去如: where userName=@userName
但是如果传了规定外的参数就说参数数目不对.可是如果不作参数传的话.就很容易造成注入.大家有什么解决的方法?
http://www.cnblogs.com/zm235/archive/2006/11/15/561595.html现在问题是.存储过程规定了几个参数.如页大小.表名等等.可是我现在还想传条件参数进去如: where userName=@userName
但是如果传了规定外的参数就说参数数目不对.可是如果不作参数传的话.就很容易造成注入.大家有什么解决的方法?
解决方案 »
- 这样类属性的写法有没有不妥之处?
- 用过JAVASCRIPT后样式没有了
- 倾本人所有分3675分求 .net 加密软件(dll混淆器)
- ajax 返回XML,然后显示表格
- 空格变+号的小问题
- 急(在线等)如何在DataList控件的项模板中调用本身的属性???
- 三层架构项目如何发布
- 大家帮我看一下,我的asp空间是不是真的有问题?谢谢了
- 如何在datalist中使用dropdownlist?
- string strComm = "select * from article where articleid="+id;的问题help
- SQL语句里面嵌入变量的问题??
- 请指教,关于如何检测远程机器上文件夹可用容量的问题 ?
http://dev.csdn.net/author/stbrine/1baf1f6f29444e09a7dd787a1d7a0b7c.html
上面的这个,我测试了,没问题。
看我的:
CREATE PROCEDURE [dbo].[spGetStaffListForPager]
@coId varchar(16),
@keyStr varchar(32),
@startIndex int,
@pageSize int
AS
BEGIN
-- SET NOCOUNT ON added to prevent extra result sets from
-- interfering with SELECT statements.
SET NOCOUNT ON; -- Insert statements for procedure here
WITH staffList as
(
SELECT ROW_NUMBER() OVER(ORDER BY aspnet_Users.UserName DESC) AS ROW, eCStaff.StaffName as StaffName,eCStaff.Sex as Sex,eCStaff.Photo as Photo,eCHeadship.HeadshipId as HeadId,
eCHeadship.Headship as HeadName,eCDepartment.DepId as DepId,eCDepartment.Name as DepName,eCDepartment.Phone as DepPhone,
eCDepartment.ExtNumber as DepExt, eCDepartment.Fax as DepFax,
aspnet_Membership.Email as StaffMail,aspnet_Users.UserName as StaffID
FROM eCStaff,eCHeadship,eCDepartment,aspnet_Membership,aspnet_Users
WHERE
eCStaff.CoId=@coId
AND
eCStaff.HeadshipId=eCHeadship.HeadshipId
AND
eCHeadship.CoId=@coId
AND
eCStaff.DepId=eCDepartment.DepId
AND
eCDepartment.CoId=@coId
AND
eCStaff.StaffId=aspnet_Users.UserName
AND
aspnet_Users.UserId=aspnet_Membership.UserId
AND StaffName LIKE ''%''+@keyStr+''%''
)
SELECT * FROM staffList WHERE ROW between @startIndex and @startIndex+@pageSize-1
END