Restful 的 API 範例，比較特別的是取得單一筆資料時，不是用一般常見的 {id} 而是用 get?id=xxx 的方式，以避免 XXS 的功擊。(不要把原網頁中的參數拼入 API 網址，要改用 Query String 的方式傳給 API)

using Ds;

using Ds.Gv;

using iText.Kernel.Geom;

using Microsoft.AspNetCore.Mvc;

using Microsoft.EntityFrameworkCore;

using NPOI.SS.Formula.Functions;

using NPOI.SS.Util;

using Su;

using System.Linq.Expressions;



namespace CallCampaign.Api

{

    /// <summary>

    /// 行銷活動

    /// </summary>

    [Route("api/call-campaign")]

    [ApiController]

    [SetAuthorizationFilter(Sh.AuthCode.不設限)]

    public class ReserveCampaignController : Controller

    {

        /// <summary>

        /// 取得行銷活動列表

        /// </summary>

        /// <param name="reserveCampaignName"></param>

        /// <param name="currentPage"></param>

        /// <param name="pageSize"></param>

        /// <param name="orderByName"></param>

        /// <param name="sort"></param>

        /// <returns></returns>

        /// <exception cref="Exception"></exception>

        [HttpGet("")]

        public async Task<object> ListAsync([FromQuery] string reserveCampaignName = "", [FromQuery] int? currentPage = 1, [FromQuery] int? pageSize = 20, [FromQuery] string orderByName = "OrderNo", [FromQuery] string sort = "asc")

        {

            if (pageSize > 500)

            {

                pageSize = 500;

            }



            if (!(sort == "asc" || sort == "desc"))

            {

                throw new CustomException(System.Net.HttpStatusCode.BadRequest, "sort只能是asc或desc");

            }



            var temp = new V_ReserveCampaign().GetType().GetProperty(orderByName);

            if (temp == null)

            {

                throw new CustomException(System.Net.HttpStatusCode.BadRequest, "不存在欄位");

            }



            Expression<Func<V_ReserveCampaign, bool>> q = p => p.Is_Deleted == "N"

                    && (string.IsNullOrEmpty(reserveCampaignName) || (p.ReserveCampaignName != null && p.ReserveCampaignName.Contains(reserveCampaignName)))

                    ;



            if (orderByName.ToLower().Trim() != "id")

            {

                orderByName += " " + sort + ", id desc";

            }

            else

            {

                orderByName += " " + sort;

            }



            var ct = NewContext.GvContext;

            var list = await ct.GetPageListAsync(q, columns: "Id, ReserveCampaignName, OrderNo, StartAt, EndAt, ModifierName, ModifyDate, CreatorName, CreateDate", page: currentPage ?? 1, pageSize: pageSize ?? 20, orderByName);

            //var list = await ct.GetPageListAsync(q, page: currentPage ?? 1, pageSize: pageSize ?? 20, orderByName + " " + sort);

            return list;

        }



        /// <summary>

        /// 取得行銷活動

        /// </summary>

        /// <param name="Id"></param>

        /// <returns></returns>

        /// <exception cref="Exception"></exception>

        [HttpGet("get")]

        public async Task<dynamic> GetAsync([FromQuery] int Id)

        {

            var res = await Ds.NewContext.GvContext.ReserveCampaigns.Where(r => r.Id == Id)

                .FirstOrDefaultAsync();



            if (res == null)

            {

                throw new CustomException(System.Net.HttpStatusCode.BadRequest, "查無資料 " + Id.ToString());

            }

            return res;

        }

                

        /// <summary>

        /// 建立行銷活動

        /// </summary>

        /// <param name="dto"></param>

        /// <returns></returns>

        /// <exception cref="CustomException"></exception>

        [HttpPost("")]

        public async Task<object> CreateAsync(Dtos.CreateReserveCampaign dto)

        {

            var ct = NewContext.GvContext;

            var res = await Models.ReserveCampaignHelper.CreateReserveCampaignAsync(ct, dto);

            return res;

        }



        /// <summary>

        /// 編輯行銷活動

        /// </summary>

        /// <param name="dto"></param>

        /// <returns></returns>

        /// <exception cref="CustomException"></exception>

        [HttpPatch("")]

        public async Task<object> UpdateAsync(Dtos.UpdateReserveCampaign dto)

        {

            var ct = NewContext.GvContext;

            var res = await Models.ReserveCampaignHelper.UpdateReserveCampaignAsync(ct, dto);

            return res;

        }



        /// <summary>

        /// 刪除行銷活動

        /// </summary>

        /// <param name="id"></param>

        /// <returns></returns>

        /// <exception cref="CustomException"></exception>

        [HttpDelete("")]

        public async Task<object> DeleteAsync([FromQuery] int id)

        {

            var res = await Ds.NewContext.GvContext.MarkDeleteAsync<Ds.Gv.ReserveCampaign>(id, Sh.ModifyInfo);

            return res;

        }

    }

}

再增加一個同步範例(只例出 action)

        /// <summary>

        /// 取得列表

        /// </summary>

        /// <param name="name"></param>

        /// <param name="currentPage"></param>

        /// <param name="pageSize"></param>

        /// <param name="orderByName"></param>

        /// <param name="sort"></param>

        /// <returns></returns>

        [HttpGet("")]

        public object List([FromQuery] string name = "", [FromQuery] int? currentPage = 1, [FromQuery] int? pageSize = 20, [FromQuery] string orderByName = "OrderNo", [FromQuery] string sort = "asc")

        {

            return "";

        }



        /// <summary>

        /// 取得明細資料

        /// </summary>

        /// <param name="Id"></param>

        /// <returns></returns>

        /// <exception cref="Exception"></exception>

        [HttpGet("get")]

        public object Get([FromQuery] int id)

        {

            return "";

        }



        /// <summary>

        /// 建立

        /// </summary>

        /// <param name="dto"></param>

        /// <returns></returns>

        /// <exception cref="CustomException"></exception>

        [HttpPost("")]

        public object Create(Dtos.PhysicalCheckUpType dto)

        {

            return "";

        }



        /// <summary>

        /// 編輯

        /// </summary>

        /// <param name="dto"></param>

        /// <returns></returns>

        /// <exception cref="CustomException"></exception>

        [HttpPatch("")]

        public object Update(Dtos.PhysicalCheckUpType dto)

        {

            return "";

        }



        /// <summary>

        /// 刪除

        /// </summary>

        /// <param name="id"></param>

        /// <returns></returns>

        /// <exception cref="CustomException"></exception>

        [HttpDelete("")]

        public object Delete([FromQuery] int id)

        {

            return 1;

        }

找了很久，原來就在 梨子給的範例裡。

假設有兩個 expression: e1, e2

            var combineBody = Expression.AndAlso(e1.Body, Expression.Invoke(e2, e1.Parameters[0]));

            var finalExpression = Expression.Lambda<Func<TestClass, bool>>(combineBody, e1.Parameters).Compile();

同理，把上面的 AndAlso 換成 OrElse 就可以用 Or 合併。

即使只有兩行，還是不太可能背起來，所以當然要來做一下擴充

    public static class ExpressionExtension

    {

        public static Expression<Func<T, bool>> AndAlso<T>(this Expression<Func<T, bool>> e1, Expression<Func<T, bool>> e2)

        {

            var combineE = Expression.AndAlso(e1.Body, Expression.Invoke(e2, e1.Parameters[0]));



            return Expression.Lambda<Func<T, bool>>(combineE, e1.Parameters);

        }



        public static Expression<Func<T, bool>> OrElse<T>(this Expression<Func<T, bool>> e1, Expression<Func<T, bool>> e2)

        {

            var combineE = Expression.OrElse(e1.Body, Expression.Invoke(e2, e1.Parameters[0]));



            return Expression.Lambda<Func<T, bool>>(combineE, e1.Parameters);

        }

    }

使用範例:

            Expression<Func<Market, bool>> e1 = e => e.Is_Deleted == isDelete;



            Expression<Func<Market, bool>> e2 = e => string.IsNullOrEmpty(marketNo) || e.MarketNo.ToUpper().Contains(marketNo.ToUpper());



            return new

            {

                andMarkets = Ds.PageContext.ShopBandContext.Markets.Where(e1.AndAlso(e2)).ToList(),

                orMarkets = Ds.PageContext.ShopBandContext.Markets.Where(e1.OrElse(e2)).ToList(),

            };

 再補兩個擴充, 可以把多個 Expression 用 AndAlso 或 OrElse 串在一起:

        public static Expression<Func<T, bool>> OrElseAll<T>(this IEnumerable<Expression<Func<T, bool>>> exps)

        {

            if (exps.Count() == 1)

            {

                return exps.First();

            }



            var e0 = exps.First();



            var orExp = exps.Skip(1).Aggregate(e0.Body, (x, y) => Expression.OrElse(x, Expression.Invoke(y, e0.Parameters[0])));



            return Expression.Lambda<Func<T, bool>>(orExp, e0.Parameters);

        }



        public static Expression<Func<T, bool>> AndAlsoAll<T>(this IEnumerable<Expression<Func<T, bool>>> exps)

        {

            if (exps.Count() == 1)

            {

                return exps.First();

            }



            var e0 = exps.First();



            var orExp = exps.Skip(1).Aggregate(e0.Body, (x, y) => Expression.AndAlso(x, Expression.Invoke(y, e0.Parameters[0])));



            return Expression.Lambda<Func<T, bool>>(orExp, e0.Parameters);

        }

使用範例:

            Expression<Func<Market, bool>> q = e =>

            e.Is_Deleted == "N"

            && (string.IsNullOrEmpty(marketNo) || e.MarketNo.ToLower().Contains(marketNo.ToLower()))

            && (string.IsNullOrEmpty(isCombination) || isCombination != "Y" || e.TypeEnum == 200);



            if (!string.IsNullOrEmpty(name))

            {

                var nameList = name.Split(',').Select(e => e.Trim())

                    .Where(e => !string.IsNullOrEmpty(e));



                if (nameList.Any())

                {

                    q = q.AndAlso(nameList

                        .Select(s => (Expression<Func<Market, bool>>)(e => e.Name.ToLower().Contains(s.ToLower())))

                        .OrElseAll());

                }

            }

另外在 google，整理了 stackoverflow 幾篇文章之後得到的另一個方法，比較複雜, 不過可以讓人理解一下 Expression 比較底層的東西，也留下來參考一下。

    internal class MergeTool : ExpressionVisitor

    {

        private readonly ParameterExpression _parameter;



        protected override Expression VisitParameter(ParameterExpression node)

        {

            return base.VisitParameter(_parameter);

        }



        internal MergeTool(ParameterExpression parameter)

        {

            _parameter = parameter;

        }



        public static Expression<Func<T, bool>> MergedExpression<T>(Expression<Func<T, bool>> e1, Expression<Func<T, bool>> e2)

        {

            ParameterExpression param = Expression.Parameter(typeof(T));



            BinaryExpression MergeBody = Expression.AndAlso(e1.Body, e2.Body);



            var ReplacedBody = (BinaryExpression)new MergeTool(param).Visit(MergeBody);



            return Expression.Lambda<Func<T, bool>>(ReplacedBody, param);

        }

    }



使用時要 Compile



            var mergedExpression = MergeTool.MergedExpression(e1, e2);



            var list = testList.Where(mergedExpression.Compile());

最近發生 email 有人輸入中文可以過的狀況。測試後才發現 \w 在 C# 可以輸入中文驗證過

        string strPattern = @"^[\w\.-]{1,}@[a-zA-Z0-9][\w\.-]*\.[a-zA-Z][a-zA-Z\.]*[a-zA-Z]$";

        System.Text.RegularExpressions.Regex regEx = new System.Text.RegularExpressions.Regex(strPattern);

        string email = "darrenTEST@gmail.com";

        Response.Write(email + " - > " + regEx.IsMatch(email) + "<br/>");

        email = "darren_東@gmail.com";

        Response.Write(email + " - > " + regEx.IsMatch(email) + "<br/>");



// darrenTEST@gmail.com - > True

// darren_東@gmail.com - > True

把 \w 換成 A-Za-z0-9_ 就可以驗證過

string strPattern = @"^[a-zA-Z0-9_\.-]{1,}@[a-zA-Z0-9][\w\.-]*\.[a-zA-Z][a-zA-Z\.]*[a-zA-Z]$";

        System.Text.RegularExpressions.Regex regEx = new System.Text.RegularExpressions.Regex(strPattern);

        string email = "darrenTEST@gmail.com";

        Response.Write(email + " - > " + regEx.IsMatch(email) + "<br/>");

        email = "darren_東@gmail.com";

        Response.Write(email + " - > " + regEx.IsMatch(email) + "<br/>");



// darrenTEST@gmail.com - > True

// darren_東@gmail.com - > False

可是搬到 js 處理，就可以過

        const regex = /^[\w\.-]{1,}@[a-zA-Z0-9][\w\.-]*\.[a-zA-Z][a-zA-Z\.]*[a-zA-Z]$/;

        console.log(regex.test('darrenTEST@gmail.com')); // true

        console.log(regex.test('darren_東@gmail.com')); // false

我想這是 C# 把 \w 當作 [word] 處理的關係，非符號都當作是文字
其他程式語言沒有測試過。不知是不是 c# 獨有的狀況

1. .Net Core 5.0 使用.
2. 可切換後, 適用於 MsSQL, MySql, Oracle
3. 預設所有 SQL 執行時要經過 SQL Injection 檢查.
(移除 "CheckDangerSQL", 併入 IsSqlInjection) 

預設會把 CR 和 LF 換成 空白，以免 sql injection 檢查發生錯誤, 有參數可以控制這個行為。sql 和 資料應該要分開，sql 中的 CR 和 LF 被換成空白應該不會有問題。

4. 不要再使用 SqlStr, 改用 SqlValue (避免誤用, SqlStr 有一個問題, 若是忘了加上 '' 會有可能造成 sql injection)

5. ORM 的 Class Name, 若遇到全大寫的字節, 要先轉小寫, 再把第一個字母變大寫.

6. CopyPropertiesTo, CopyTo.. 
   SetValue 時, 若發生錯誤, 要顯示錯誤欄位名稱. (Tmi 的版本, ObjUtil.cs)

7. CopyFromDataRow: 
   string 自動轉 DateTime
   string 自動轉  int, long, decimal..

8. Criteria 的 In 和 operator (|) 要接 list 做為參數, 不要再直接用字串做參數.

9. OrderBy 增加 by column 且可以多個串接

10. Update 時可以用 sql 語法 (參考聖宜的  GetSetFieldWithExpression)

11. 檢查 SQL Injection 的方法改為先把 \r 和 \n 用空白取代，再檢查, 再取代參數。

12. DtFromSql 和 ExecuteSql 傳入 connection 和 transaction 的版本先刪除，未來有需要再增加。 

SELECT cast(ProductID AS NVARCHAR ) + ',' from [Order Details]

where OrderID = '10248'

FOR XML PATH('')

參考: http://www.dotblogs.com.tw/kevinya/archive/2012/06/01/72553.aspx

EX:

SELECT ',' + ltpid

FROM V_ltp_main WHERE ltpkind = 2

FOR XML PATH('')

STUFF ( character_expression , start , length ,character_expression )
下列範例會傳回從第一個字串 (abcdef) 中，從位置 2 (b) 開始，刪除三個字元所建立的字元字串，且會在刪除點插入第二個字串。

SELECT STUFF('abcdef', 2, 3, 'ijklmn')

http://technet.microsoft.com/zh-tw/library/ms188043(v=sql.105).aspx

EX:

select STUFF(

(SELECT ',' + ltpid FROM V_ltp_main WHERE ltpkind = 2 FOR XML PATH(''))

, 1, 1, '')