Restful 的 API 範例，比較特別的是取得單一筆資料時，不是用一般常見的 {id} 而是用 get?id=xxx 的方式，以避免 XXS 的功擊。(不要把原網頁中的參數拼入 API 網址，要改用 Query String 的方式傳給 API)

using Ds;

using Ds.Gv;

using iText.Kernel.Geom;

using Microsoft.AspNetCore.Mvc;

using Microsoft.EntityFrameworkCore;

using NPOI.SS.Formula.Functions;

using NPOI.SS.Util;

using Su;

using System.Linq.Expressions;



namespace CallCampaign.Api

{

    /// <summary>

    /// 行銷活動

    /// </summary>

    [Route("api/call-campaign")]

    [ApiController]

    [SetAuthorizationFilter(Sh.AuthCode.不設限)]

    public class ReserveCampaignController : Controller

    {

        /// <summary>

        /// 取得行銷活動列表

        /// </summary>

        /// <param name="reserveCampaignName"></param>

        /// <param name="currentPage"></param>

        /// <param name="pageSize"></param>

        /// <param name="orderByName"></param>

        /// <param name="sort"></param>

        /// <returns></returns>

        /// <exception cref="Exception"></exception>

        [HttpGet("")]

        public async Task<object> ListAsync([FromQuery] string reserveCampaignName = "", [FromQuery] int? currentPage = 1, [FromQuery] int? pageSize = 20, [FromQuery] string orderByName = "OrderNo", [FromQuery] string sort = "asc")

        {

            if (pageSize > 500)

            {

                pageSize = 500;

            }



            if (!(sort == "asc" || sort == "desc"))

            {

                throw new CustomException(System.Net.HttpStatusCode.BadRequest, "sort只能是asc或desc");

            }



            var temp = new V_ReserveCampaign().GetType().GetProperty(orderByName);

            if (temp == null)

            {

                throw new CustomException(System.Net.HttpStatusCode.BadRequest, "不存在欄位");

            }



            Expression<Func<V_ReserveCampaign, bool>> q = p => p.Is_Deleted == "N"

                    && (string.IsNullOrEmpty(reserveCampaignName) || (p.ReserveCampaignName != null && p.ReserveCampaignName.Contains(reserveCampaignName)))

                    ;



            if (orderByName.ToLower().Trim() != "id")

            {

                orderByName += " " + sort + ", id desc";

            }

            else

            {

                orderByName += " " + sort;

            }



            var ct = NewContext.GvContext;

            var list = await ct.GetPageListAsync(q, columns: "Id, ReserveCampaignName, OrderNo, StartAt, EndAt, ModifierName, ModifyDate, CreatorName, CreateDate", page: currentPage ?? 1, pageSize: pageSize ?? 20, orderByName);

            //var list = await ct.GetPageListAsync(q, page: currentPage ?? 1, pageSize: pageSize ?? 20, orderByName + " " + sort);

            return list;

        }



        /// <summary>

        /// 取得行銷活動

        /// </summary>

        /// <param name="Id"></param>

        /// <returns></returns>

        /// <exception cref="Exception"></exception>

        [HttpGet("get")]

        public async Task<dynamic> GetAsync([FromQuery] int Id)

        {

            var res = await Ds.NewContext.GvContext.ReserveCampaigns.Where(r => r.Id == Id)

                .FirstOrDefaultAsync();



            if (res == null)

            {

                throw new CustomException(System.Net.HttpStatusCode.BadRequest, "查無資料 " + Id.ToString());

            }

            return res;

        }

                

        /// <summary>

        /// 建立行銷活動

        /// </summary>

        /// <param name="dto"></param>

        /// <returns></returns>

        /// <exception cref="CustomException"></exception>

        [HttpPost("")]

        public async Task<object> CreateAsync(Dtos.CreateReserveCampaign dto)

        {

            var ct = NewContext.GvContext;

            var res = await Models.ReserveCampaignHelper.CreateReserveCampaignAsync(ct, dto);

            return res;

        }



        /// <summary>

        /// 編輯行銷活動

        /// </summary>

        /// <param name="dto"></param>

        /// <returns></returns>

        /// <exception cref="CustomException"></exception>

        [HttpPatch("")]

        public async Task<object> UpdateAsync(Dtos.UpdateReserveCampaign dto)

        {

            var ct = NewContext.GvContext;

            var res = await Models.ReserveCampaignHelper.UpdateReserveCampaignAsync(ct, dto);

            return res;

        }



        /// <summary>

        /// 刪除行銷活動

        /// </summary>

        /// <param name="id"></param>

        /// <returns></returns>

        /// <exception cref="CustomException"></exception>

        [HttpDelete("")]

        public async Task<object> DeleteAsync([FromQuery] int id)

        {

            var res = await Ds.NewContext.GvContext.MarkDeleteAsync<Ds.Gv.ReserveCampaign>(id, Sh.ModifyInfo);

            return res;

        }

    }

}

再增加一個同步範例(只例出 action)

        /// <summary>

        /// 取得列表

        /// </summary>

        /// <param name="name"></param>

        /// <param name="currentPage"></param>

        /// <param name="pageSize"></param>

        /// <param name="orderByName"></param>

        /// <param name="sort"></param>

        /// <returns></returns>

        [HttpGet("")]

        public object List([FromQuery] string name = "", [FromQuery] int? currentPage = 1, [FromQuery] int? pageSize = 20, [FromQuery] string orderByName = "OrderNo", [FromQuery] string sort = "asc")

        {

            return "";

        }



        /// <summary>

        /// 取得明細資料

        /// </summary>

        /// <param name="Id"></param>

        /// <returns></returns>

        /// <exception cref="Exception"></exception>

        [HttpGet("get")]

        public object Get([FromQuery] int id)

        {

            return "";

        }



        /// <summary>

        /// 建立

        /// </summary>

        /// <param name="dto"></param>

        /// <returns></returns>

        /// <exception cref="CustomException"></exception>

        [HttpPost("")]

        public object Create(Dtos.PhysicalCheckUpType dto)

        {

            return "";

        }



        /// <summary>

        /// 編輯

        /// </summary>

        /// <param name="dto"></param>

        /// <returns></returns>

        /// <exception cref="CustomException"></exception>

        [HttpPatch("")]

        public object Update(Dtos.PhysicalCheckUpType dto)

        {

            return "";

        }



        /// <summary>

        /// 刪除

        /// </summary>

        /// <param name="id"></param>

        /// <returns></returns>

        /// <exception cref="CustomException"></exception>

        [HttpDelete("")]

        public object Delete([FromQuery] int id)

        {

            return 1;

        }

1. .Net Core 5.0 使用.
2. 可切換後, 適用於 MsSQL, MySql, Oracle
3. 預設所有 SQL 執行時要經過 SQL Injection 檢查.
(移除 "CheckDangerSQL", 併入 IsSqlInjection) 

預設會把 CR 和 LF 換成 空白，以免 sql injection 檢查發生錯誤, 有參數可以控制這個行為。sql 和 資料應該要分開，sql 中的 CR 和 LF 被換成空白應該不會有問題。

4. 不要再使用 SqlStr, 改用 SqlValue (避免誤用, SqlStr 有一個問題, 若是忘了加上 '' 會有可能造成 sql injection)

5. ORM 的 Class Name, 若遇到全大寫的字節, 要先轉小寫, 再把第一個字母變大寫.

6. CopyPropertiesTo, CopyTo.. 
   SetValue 時, 若發生錯誤, 要顯示錯誤欄位名稱. (Tmi 的版本, ObjUtil.cs)

7. CopyFromDataRow: 
   string 自動轉 DateTime
   string 自動轉  int, long, decimal..

8. Criteria 的 In 和 operator (|) 要接 list 做為參數, 不要再直接用字串做參數.

9. OrderBy 增加 by column 且可以多個串接

10. Update 時可以用 sql 語法 (參考聖宜的  GetSetFieldWithExpression)

11. 檢查 SQL Injection 的方法改為先把 \r 和 \n 用空白取代，再檢查, 再取代參數。

12. DtFromSql 和 ExecuteSql 傳入 connection 和 transaction 的版本先刪除，未來有需要再增加。 

使用範例如下:

    void getList()

    {

        var Q = TN.Admin.TCatOrderDeliveryRecord.Select().OrderBy("DeliveryCompletion_Date, Id Desc");



        if (U2.WU.IsNonEmptyFromQueryStringOrForm("OD00"))

        {

            Q.And("OD00 = ", U2.WU.GetValue("OD00"));

        }



        if (U2.WU.V.StartDate_IsOK)

        {

            Q.And("DeliveryCompletion_Date >= ", U2.WU.V.StartDate);

        }



        if (U2.WU.V.EndDate_IsOK)

        {

            Q.And("DeliveryCompletion_Date < ", U2.WU.V.EndDate);

        }



        U2.JSON.WriteSuccessData(Q.GetPageDT2(U2.WU.V.CurrentPage, U2.WU.V.PageSize));

    }

        public void TEST(SEPM.SEPMDataContext oDC)

        {

            //一般 LINQ 寫法, 欄位只能寫死, 如:

            var Q = query.OrderBy(r => r.statusId).ToList();



            //若 OrderBy 的欄位不是固定的



            //方法一：條列

            var orderBy = "XXX";

            if (orderBy == "ownerId")

            {

                Q = Q.OrderBy(r => r.ownerId).ToList();

            }

            else if (orderBy == "endDate")

            {

                Q = Q.OrderBy(r => r.endDate).ToList();

            }



            //方法二：

            Q = Q.OrderBy(r => GetPropertyValue(r, orderBy)).ToList();

        }



        private object GetPropertyValue(object obj, string property)

        {

            System.Reflection.PropertyInfo propertyInfo = obj.GetType().GetProperty(property);

            return propertyInfo.GetValue(obj, null);

        }

參考：http://coderemind.blogspot.tw/2013/10/linq.html

            Random rand = new Random(Guid.NewGuid().GetHashCode());



            List<int> listLinq = new List<int>(Enumerable.Range(0, dt.Rows.Count - 1));

            listLinq = listLinq.OrderBy(num => rand.Next()).ToList<int>();

參考:

https://dotblogs.com.tw/flweblab/2017/11/21/104209