先來張圖:
看到這樣的需求。我們一般會去拼接Sql語句,這樣有Sql注入的風險,想到了用數據庫做查詢。把條件放到一張臨時表中。具體代碼如下
create proc [dbo].[pro_SelectUserInfo](@sort int,@value varchar(20) ='',@create_time date = '',@sex int)
as
begin
--查詢結果放在一個臨時表中
IF OBJECT_ID('tempdb..#tmp') IS NOT NULL
DROP TABLE #tmp
SELECT 顯示的具體信息 INTO #tmp from 表名 連接的條件
where sex = CASE @sex WHEN -1 THEN sex ELSE @sex END --sex的值只有0和1 -1的時候就沒有值進行賦值
AND CONVERT(date,tbl_member.create_time) = CASE @create_time WHEN '' THEN CONVERT(date,tbl_member.create_time) ELSE @create_time END
AND CHARINDEX( CASE @value WHEN '' THEN member_id + '|' + phone+'|'+tbl_member.name ELSE @value END,member_id + '|' + phone+'|'+tbl_member.name) > 0
AND tbl_member.enable = 1 --手機號和姓名作為條件
---排序條件
IF @sort = 1
SELECT * FROM #tmp ORDER BY member_id ASC
ELSE
SELECT * FROM #tmp ORDER BY member_id DESC
end