在 PowerShell 中转义包含单引号的字符串准备 SQL 查询
[英]Escaping strings containing single quotes in PowerShell ready for SQL query
问题描述
I am trying to run the following query, which takes someone's name and attempts to insert it into an SQL Server database table.
我正在尝试运行以下查询,该查询采用某人的姓名并尝试将其插入 SQL Server 数据库表中。
$name = "Ronnie O'Sullivan"
$dataSource = "127.0.0.1"
$database = "Danny"
$connectionString = "Server=$dataSource;Database=$database;Integrated Security=True;"
$connection = New-Object System.Data.SqlClient.SqlConnection
$connection.ConnectionString = $connectionString
$connection.Open()
$query = "INSERT INTO People(name) VALUES('$name')"
$command = $connection.CreateCommand()
$command.CommandText = $query
$command.ExecuteNonQuery()
$connection.Close()
The problem I am facing is that the single quote is causing an issue in my query.我面临的问题是单引号导致我的查询出现问题。 The query is being executed as查询正在执行为
INSERT INTO People(name) VALUES('Ronnie O'Sullivan')
which causes an SQL syntax error.这会导致 SQL 语法错误。
My question is how do I escape my $name variable so that it renders on the SQL side.我的问题是如何转义 $name 变量以便它在 SQL 端呈现。
One solution is to do a find and replace on my $name variable, find: ' replace: ''一种解决方案是对我的 $name 变量进行查找和替换, find: ' replace: ''
$name.Replace("'", "''")
Is there a more elegant solution out there, or a function that I can't seem to find?有没有更优雅的解决方案,或者我似乎找不到的功能?
Thank you.谢谢你。
2 个解决方案
解决方案1
17 已采纳 2014-02-20 14:55:01
You can try to update your code to to use a parametrised value that will cope with quotes in a string:您可以尝试将代码更新为使用参数化值来处理字符串中的引号:
$query = "INSERT INTO People(name) VALUES(@name)"
$command = $connection.CreateCommand()
$command.CommandText = $query
$command.Parameters.Add("@name", $name) -- | Out-Null (may be required on the end)
$command.ExecuteNonQuery()
I'm not experienced with powershell but referenced this post for a parametrised query :我对 powershell 没有经验,但引用了这篇文章进行参数化查询:
解决方案2
0 2020-10-20 22:32:31
Tanner's helpful answer is definitely the most robust and secure solution , because using a [parameterized / prepared statement (query) eliminates any possibility of a SQL injection attack. Tanner 的有用答案绝对是最强大和最安全的解决方案,因为使用 [参数化/准备好的语句(查询)消除了SQL 注入攻击的任何可能性。
However, in this constrained case , where you want to insert a value into a single-quoted SQL string ( '...' ) , you can get away with simply doubling any embedded ' characters in the value :但是,在这种受限制的情况下,您希望将值插入到单引号 SQL 字符串 ( '...' ) 中,您只需将值中的任何嵌入'字符加倍即可:
$query = "INSERT INTO People(name) VALUES('$($name -replace "'", "''")')"
The above uses PowerShell's string interpolation via $(...) , the subexpression operator , to embed an expression that uses the -replace operator to double all embedded ' instances in the value of $name .上面通过$(...) 子表达式运算符使用 PowerShell 的字符串插值来嵌入一个表达式,该表达式使用-replace运算符将所有嵌入的'实例加倍到$name的值中。
Note: You could also use $name.Replace("'", "''") above, which performs better in this simple case, but PowerShell's -replace operator is generally preferable, not only for being PowerShell-native, but for offering superior abilities, because it is regex-based and supports array as its LHS - see this comment on GitHub .注意:你也可以使用上面的$name.Replace("'", "''") ,它在这个简单的情况下表现更好,但 PowerShell 的-replace操作符通常更可取,不仅是因为是 PowerShell 本地的,而且是为了提供卓越的能力,因为它基于正则表达式并支持数组作为其 LHS - 请参阅GitHub 上的此评论。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.