先来张图:
看到这样的需求。我们一般会去拼接Sql语句,这样有Sql注入的风险,想到了用数据库做查询。把条件放到一张临时表中。具体代码如下
create proc [dbo].[pro_SelectUserInfo](@sort int,@value varchar(20) ='',@create_time date = '',@sex int)
as
begin
--查询结果放在一个临时表中
IF OBJECT_ID('tempdb..#tmp') IS NOT NULL
DROP TABLE #tmp
SELECT 显示的具体信息 INTO #tmp from 表名 连接的条件
where sex = CASE @sex WHEN -1 THEN sex ELSE @sex END --sex的值只有0和1 -1的时候就没有值进行赋值
AND CONVERT(date,tbl_member.create_time) = CASE @create_time WHEN '' THEN CONVERT(date,tbl_member.create_time) ELSE @create_time END
AND CHARINDEX( CASE @value WHEN '' THEN member_id + '|' + phone+'|'+tbl_member.name ELSE @value END,member_id + '|' + phone+'|'+tbl_member.name) > 0
AND tbl_member.enable = 1 --手机号和姓名作为条件
---排序条件
IF @sort = 1
SELECT * FROM #tmp ORDER BY member_id ASC
ELSE
SELECT * FROM #tmp ORDER BY member_id DESC
end