How make a custom query on the fly?_问答_开发者

开发者 https://www.devze.com 2022-12-15 20:40 出处：网络

I\'m working in a database on vb.net with sqlite which hosts a gallery and I want expand the search properities.

I'm working in a database on vb.net with sqlite which hosts a gallery and I want expand the search properities.

This the actual query string:

"SELECT images.*
FROM images 
JOIN nodes 
ON images.id = nodes.image_id 
WHERE tag_id = (SELECT tags.id 
                FROM tags 
                WHERE tag = '" & tagname & "') 
ORDER BY images." & sort & " " & order & ""

But it only can search for only one descriptive tag 开发者_JAVA技巧(tagname) and sort the images and nothing more.

I want to filter the results also for image ext (table = images.ext) or one or more parameter...for example:

If the user search "cars ext:jpg width>500" the the database returns all images which has the tag "cars", has the extension jpg and are bigger than 500 px width.

First, this code is dangerous. It's open to SQL Injection attacks. You shouldn't just append string values like that to the query string. Instead, you should use a parameterized query.

In regards to your specific question, you should check the inputs for the search, and based on the inputs, generate the specifc sections of the query, parameterizing them where necessary.

For example, if you have to filter on extensions, then you add a join to the extensions table in the variable holding the join clause, as well as a filter on the joined table in the variable holding the where clause (as well as the appropriate parameter and parameter value).

Then, in the end, you concatenate the parts of the query together (along with the query parameters) and execute it.

First of all, if that input is coming in from the user, don't concatenate strings like that, because it's succeptible to SQL Injection

Using SQL Parameters is a way to avoid the injection:

command.CommandText = "SELECT images.* " &_
                      "FROM images " &_
                      "JOIN nodes " &_
                      "ON images.id = nodes.image_id " &_
                      "WHERE tag_id = (SELECT tags.id " &_
                                      "FROM tags " &_
                                      "WHERE tag = @tag)"

You can extend this to:

command.CommandText = "SELECT images.* " &_
                      "FROM images " &_
                      "JOIN nodes " &_
                      "ON images.id = nodes.image_id " &_
                      "WHERE tag_id = (SELECT tags.id " &_
                                      "FROM tags " &_
                                      "WHERE tag = @tag)"

command.Parameters.AddWithValue("@tag", searchTag)


If Not String.IsNullOrEmpty(searchExt) Then
    command.CommandText = command.CommandText & " AND images.ext = @imageExt"
    command.Parameters.AddWithValue("@imageExt", searchExt)
EndIf

If Not String.IsNullOrEmpty(searchWidth) Then
    command.CommandText = command.CommandText & " AND images.width > @imageWidth"
    command.Parameters.AddWithValue("@imageWidth", searchWidth)
EndIf

If I understand the question correctly, you just want to build up a query string. Have you tried something like this?

SQLcommand.CommandText = "SELECT images.* FROM images JOIN nodes ON images.id = nodes.image_id WHERE tag_id = (SELECT tags.id FROM tags WHERE tag = '" & tagname & "') AND images.Ext = '" & ext & "' AND width > " & width & " ORDER BY images." & sort & " " & order & ""

Build WHERE clause separately and when add it to your query.

where="1"
if tagname<>"" then where=where & " AND tag='" & tagname & "'"
...
"SELECT images.*
FROM images 
JOIN nodes 
ON images.id = nodes.image_id 
WHERE tag_id = (SELECT tags.id 
                FROM tags 
                WHERE " & where & " ) 
ORDER BY images." & sort & " " & order & ""