When we sort by a field, usually order by statement, a null value if the field is present, it will put this into the null value of the top,
That if we have a way to solve it?
The answer is yes:
ORDER BY CASE WHEN OrderNum IS NULL THEN 1 ELSE 0 END
In this case, null value of this line up to the end.
When using the dapper query data, sometimes used fuzzy query, like this:
SELECT * FROM T_Test WHERE Sex='男' AND (CardNo like 'xxx' OR Remark like 'xxx')
If so dapper in writing:
public List<TestModel> Test(string sex, string keyWords){ var sb = new StringBuilder("SELECT * FROM T_Test WHERE 1=1 "); sb.Append(" AND Sex=@Sex "); sb.Append(" AND(Content LIKE '%"+ keyWords +"%' OR Remark LIKE '%"+ keyWords +"%')"); return DapperHelper.Query<TestModel>(sb.ToString(), new { Sex = sex}).ToList(); }
If keyWords write parameters:% 'or 1 = 1) -
Sql statement is generated:
SELECT * FROM T_Test WHERE 1=1 AND Sex='男' AND (Content LIKE '%%' or 1=1) --%' OR Remakr LIKE '%%')
Then congratulations to you, others will get all of your information.
Then how are we to deal with it?
That method is to modify the dapper
public List<TestModel> Test(string sex, string keyWords){ var sb = new StringBuilder("SELECT * FROM T_Test "); sb.Append(" AND Sex=@Sex "); sb.Append(" AND(Content LIKE @KeyWords OR Remark LIKE @KeyWords )"); return DapperHelper.Query<TestModel>(sb.ToString(), new { Sex = sex, KeyWords = '%' + keyWords + '%'}).ToList(); }
Sql statement is generated
exec sp_executesql N'SELECT * FROM T_Test WHERE 1=1 Sex=@Sex AND (Content LIKE @KeyWords OR Remark LIKE @KeyWords)',N'@KeyWords nvarchar(4000)',@KeyWords=N'%%'' or 1=1) --%'
Even so, data will not be leaked.