Class Query
Builds and compiles parameterized SQL queries with support for multiple tables, relations, filtering, grouping, ordering, and pagination. Provides comprehensive SQL injection prevention through input validation (whitelist for table/field names, blacklist for dangerous keywords) and parameterized query construction. Supports advanced features including version control, culture filtering, permission-based visibility, and multi-table relation handling (Sibling, FirstChild, DataField relations).
Inherited Members
Namespace: DataWeb.Data.SqlServer
Assembly: DataWeb.Data.SqlServer.dll
Syntax
public class Query
Properties
Count
Maximum rows to return via TOP clause. 0 = all.
Declaration
public int Count { get; set; }
Property Value
| Type | Description |
|---|---|
| int |
Culture
Culture code for culture-specific filtering.
Declaration
public string Culture { get; set; }
Property Value
| Type | Description |
|---|---|
| string |
EditFields
Field assignments for INSERT and UPDATE operations.
Declaration
public List<Query.EditField> EditFields { get; set; }
Property Value
| Type | Description |
|---|---|
| List<Query.EditField> |
Filters
WHERE filters. Use AddFilter(string, string, object, SqlDbType?, int?, FilterMode, FilterCondition) to add entries.
Declaration
public List<Query.Filter> Filters { get; set; }
Property Value
| Type | Description |
|---|---|
| List<Query.Filter> |
GroupFields
Fields for GROUP BY clause.
Declaration
public string[] GroupFields { get; set; }
Property Value
| Type | Description |
|---|---|
| string[] |
IsAllVersions
Indicates whether all versions of records should be included.
Declaration
public bool IsAllVersions { get; set; }
Property Value
| Type | Description |
|---|---|
| bool |
IsOrderByPosition
Indicates whether ORDER BY should use column positions instead of names.
Declaration
public bool IsOrderByPosition { get; set; }
Property Value
| Type | Description |
|---|---|
| bool |
IsPagination
Indicates whether pagination should be applied to the query results.
Declaration
public bool IsPagination { get; set; }
Property Value
| Type | Description |
|---|---|
| bool |
Mode
Query mode: Select, Insert, Update, or Delete.
Declaration
public QueryMode Mode { get; set; }
Property Value
| Type | Description |
|---|---|
| QueryMode |
OrderFields
Fields for ORDER BY clause.
Declaration
public string[] OrderFields { get; set; }
Property Value
| Type | Description |
|---|---|
| string[] |
PageIndex
Zero-based page index for pagination.
Declaration
public long PageIndex { get; set; }
Property Value
| Type | Description |
|---|---|
| long |
PageSize
Number of rows per page. Default is 50.
Declaration
public int PageSize { get; set; }
Property Value
| Type | Description |
|---|---|
| int |
Parameters
Query parameters bound to filter expressions.
Declaration
public List<SqlParameter> Parameters { get; set; }
Property Value
| Type | Description |
|---|---|
| List<SqlParameter> |
PublishMode
Publish mode for the query (e.g., Live, Draft).
Declaration
public PublishMode PublishMode { get; set; }
Property Value
| Type | Description |
|---|---|
| PublishMode |
SelectMode
Determines the SELECT projection: full rows or COUNT.
Declaration
public SelectMode SelectMode { get; set; }
Property Value
| Type | Description |
|---|---|
| SelectMode |
SelectStatement
Custom SELECT projection expression. If set, replaces the default *.
Declaration
public string SelectStatement { get; set; }
Property Value
| Type | Description |
|---|---|
| string |
Tables
Tables (FROM / JOIN) to include in the query.
Declaration
public List<Query.Table> Tables { get; set; }
Property Value
| Type | Description |
|---|---|
| List<Query.Table> |
Methods
AddEditField(string, object, bool)
Adds a field assignment for INSERT and UPDATE operations.
Declaration
public void AddEditField(string field, object parameterValue = null, bool isExpression = false)
Parameters
| Type | Name | Description |
|---|---|---|
| string | field | The field name to assign a value to. |
| object | parameterValue | The value to assign. If null, the parameter is set to Value. |
| bool | isExpression | If true, the parameter value is treated as a SQL expression instead of a parameterized value. |
AddFilter(string, string, object, SqlDbType?, int?, FilterMode, FilterCondition)
Adds a WHERE filter condition to the query.
Declaration
public void AddFilter(string filter, string parameterName = null, object parameterValue = null, SqlDbType? parameterType = null, int? parameterSize = null, FilterMode mode = FilterMode.And, FilterCondition condition = FilterCondition.Always)
Parameters
| Type | Name | Description |
|---|---|---|
| string | filter | The filter expression to add. |
| string | parameterName | Optional parameter name for the filter value. If provided, a corresponding parameter should be supplied. |
| object | parameterValue | Optional parameter value to bind to the filter. |
| SqlDbType? | parameterType | Optional SQL data type for the parameter. |
| int? | parameterSize | Optional size for the parameter (e.g. for varchar fields). |
| FilterMode | mode | The logical mode for combining filters (AND or OR). Default is AND. |
| FilterCondition | condition | The condition for applying the filter (Always or NotNull). Default is Always. |
Compile()
Compiles the query into a parameterized SQL string.
Declaration
public string Compile()
Returns
| Type | Description |
|---|---|
| string | A parameterized SQL query string. |
Exceptions
| Type | Condition |
|---|---|
| Exception | Thrown if no tables have been added to the query. |
CompileSelect()
Declaration
protected string CompileSelect()
Returns
| Type | Description |
|---|---|
| string |
ValidateFieldName(string)
Validates that a field name contains only alphanumeric characters, underscores, or dots. Throws ArgumentException if the name is invalid, preventing SQL injection via field name interpolation.
Declaration
public static void ValidateFieldName(string fieldName)
Parameters
| Type | Name | Description |
|---|---|---|
| string | fieldName | The field name to validate. |
Exceptions
| Type | Condition |
|---|---|
| ArgumentException | Thrown when |
ValidateSectionPartTableName(string)
Validates that a table name is not a reserved item system table (Sys_Masters, Sys_Relations). Throws ArgumentException if the name refers to a system table, preventing unauthorized access to internal tables.
Declaration
public static void ValidateSectionPartTableName(string tableName)
Parameters
| Type | Name | Description |
|---|---|---|
| string | tableName | The table name to validate. |
Exceptions
| Type | Condition |
|---|---|
| ArgumentException | Thrown when |
ValidateTableName(string)
Validates that a table name contains only alphanumeric characters, hyphens, or underscores. Throws ArgumentException if the name is invalid, preventing SQL injection via table name interpolation.
Declaration
public static void ValidateTableName(string tableName)
Parameters
| Type | Name | Description |
|---|---|---|
| string | tableName | The table name to validate. |
Exceptions
| Type | Condition |
|---|---|
| ArgumentException | Thrown when |