在将值发送到参数化查询之前,我应该转义单引号吗?
[英]Should I Escape Single Quotes Before Sending a Value to a Parameterized Query?
问题描述
I was told (or read somewhere) that when you use parameterized queries (eg with an ADODB.Command object), all of the escaping is handled internally either within the Command object or within the database engine. 
有人告诉我(或在某处阅读),当您使用参数化查询(例如,使用ADODB.Command对象)时,所有转义都在Command对象或数据库引擎内部进行处理。
Is this true? 这是真的?
An Example of my command code is below - is it safe to pass a raw parameter as with the first parameter created, or should it be escaped as with the second parameter? 下面是我的命令代码示例-与创建的第一个参数一样传递原始参数是否安全,还是应该像第二个参数一样将其转义?
My specific environment is vbscript on windows 2008 (or newer) and SQL Server 2008 (or newer). 我的特定环境是Windows 2008(或更高版本)和SQL Server 2008(或更高版本)上的vbscript。
Dim oSproc : Set oSproc = CreateObject("ADODB.Command")
With oSproc
.ActiveConnection = oConn
.CommandText = "mysp_SPNAME"
.CommandType = adCmdStoredProc
With .Parameters
.Append oSproc.CreateParameter("@IN_str1", adVarChar, adParamInput, 255, myStr)
.Append oSproc.CreateParameter("@IN_str2", adVarChar, adParamInput, 255, replace(myStr, "'", "''"))
End With
.Execute
End With
1 个解决方案
解决方案1
2 已采纳 2015-09-29 16:13:35
Its true; 这是真的; parametrization is done by the Command object when you use it in conjunction with Parameter objects. 当您将Command对象与Parameter对象一起使用时,参数化由Command对象完成。
You can verify this by passing "'" and observing there is no error, or by running a trace and looking at the sp_executeSQL call. 您可以通过传递"'"并观察没有错误,或者运行跟踪并查看sp_executeSQL调用来验证这一点。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.