在 SQL Server 中,使用参数化查询可以提高安全性和性能
使用 Transact-SQL 存储过程:CREATE PROCEDURE GetEmployeeById @EmployeeId INTASBEGIN SELECT * FROM Employees WHERE EmployeeId = @EmployeeId;END;要调用此存储过程并传递参数,请使用以下语句:
EXEC GetEmployeeById @EmployeeId = 1;首先,确保已安装 System.Data.SqlClient。
using System.Data.SqlClient;string connectionString = "your_connection_string";string query = "SELECT * FROM Employees WHERE EmployeeId = @EmployeeId";using (SqlConnection connection = new SqlConnection(connectionString)){ using (SqlCommand command = new SqlCommand(query, connection)) { // 添加参数 command.Parameters.AddWithValue("@EmployeeId", 1); connection.Open(); using (SqlDataReader reader = command.ExecuteReader()) { while (reader.Read()) { // 处理查询结果 } } }}pyodbc 库):首先,确保已安装 pyodbc。
import pyodbcconnection_string = "your_connection_string"query = "SELECT * FROM Employees WHERE EmployeeId = ?"connection = pyodbc.connect(connection_string)cursor = connection.cursor()# 添加参数params = (1,)cursor.execute(query, params)for row in cursor: # 处理查询结果cursor.close()connection.close()这些示例展示了如何在 SQL Server 中设置参数。请根据您的实际需求和编程语言进行调整。
