如何在 MySQL 查询中使用 VB.NET 参数连接单引号?
[英]How to concatenate single quote in MySQL query with VB.NET parameter?
问题描述
I am making a MySQL Select query using MySQLCommand object in VB.NET were I use parameters.
我正在使用 ZBD5C8A1AFE53C8BA44F60C9AF6C03C2 中的 MySQLCommand object 查询 MySQL Select 查询。 I am facing an issue, in my where clause, I need to put the value for the criteria into single quote, I tried to use backslash ' (\') to escape the single quote, it does not work.我遇到了一个问题,在我的 where 子句中,我需要将条件的值放入单引号中,我尝试使用反斜杠 ' (\') 来转义单引号,但它不起作用。 I used double quotes as well, same issue.我也使用了双引号,同样的问题。 Can somebody help me?有人可以帮助我吗? Is there something specific I need to do when using the MySQLCommand object in VB.NET with parameter and want my parameter value to be in single quote into a query?在 VB.NET 中使用带有参数的 MySQLCommand object 并希望我的参数值在查询中使用单引号时,我需要做些什么具体的事情吗?
Here is the Function in which I make the MySQL query:这是 Function,我在其中进行了 MySQL 查询:
Public Shared Function getGeographyUnits(critere As String, valeur As String) As List(Of geography_unit)
Dim conn As MySqlConnection = DBUtils.GetDBConnection()
Dim rdr As MySqlDataReader
conn.Open()
Dim cmd As MySqlCommand = New MySqlCommand("select ID,description from geography_unit where @critere = ''@valeur''", conn)
cmd.Parameters.AddWithValue("@critere", critere)
cmd.Parameters.AddWithValue("@valeur", valeur)
rdr = cmd.ExecuteReader()
Dim geography_units As New List(Of geography_unit)
While rdr.Read
Dim geography_unit As New geography_unit
Try
geography_unit.ID = CLng(rdr("Id"))
geography_unit.description = rdr("description")
Catch ex As Exception
End Try
geography_units.Add(geography_unit)
End While
rdr.Close()
conn.Close()
Return geography_units
End Function
Actually, I want the cmdText for my query to be something like this after rendering:实际上,我希望我的查询的 cmdText 在渲染后是这样的:
select ID,description from geography_unit where critere = 'valeur'
The issue comes mainly from the fact that I am using parameter, how can I solve it?问题主要来自我使用参数的事实,我该如何解决?
2 个解决方案
解决方案1
0 已采纳 2021-01-05 16:53:40
You need to fix your code with something like this.你需要用这样的东西来修复你的代码。 But please note a couple of things.但请注意几件事。
If the @valeur is enclosed in single quotes it is no more a parameter placeholder but a string constant and the parameter associated with the placeholder will not be used.如果@valeur 用单引号括起来,则它不再是参数占位符,而是字符串常量,并且不会使用与占位符关联的参数。
The connection should always enclosed in a using statement to avoid dangerous resources consuption on the server连接应始终包含在 using 语句中,以避免服务器上的危险资源消耗
If you want to have a variable list of field to which apply the valeur passed then you need to be absolutely sure that your user is not allowed to type the value for critere .如果您想要一个变量列表应用到传递的valeur ,那么您需要绝对确保您的用户不允许键入critere的值。 You should provide some kind of control like combobox or dropdwonlist where the user could only choose between a prefixed set of values, then you can concatenate the critere variable to your sql command.您应该提供某种控件,例如 combobox 或 dropdwonlist,其中用户只能在一组前缀值之间进行选择,然后您可以将标准变量连接到sql命令。
Public Shared Function getGeographyUnits(critere As String, valeur As String) As List(Of geography_unit)
Using conn As MySqlConnection = DBUtils.GetDBConnection()
Dim sqlText As String = "select ID,description from geography_unit"
conn.Open()
If Not String.IsNullOrEmpty(critere) Then
sqlText = sqlText & " where " & critere & " = @valeur"
End If
Dim cmd As MySqlCommand = New MySqlCommand(sqlText, conn)
cmd.Parameters.Add("@valeur", MySqlDbType.VarChar).Value = valeur
Using rdr As MySqlDataReader = cmd.ExecuteReader()
Dim geography_units As New List(Of geography_unit)
While rdr.Read
Dim geography_unit As New geography_unit
Try
geography_unit.ID = CLng(rdr("Id"))
geography_unit.description = rdr("description")
Catch ex As Exception
End Try
geography_units.Add(geography_unit)
End While
End Using
' rdr.Close() not needed when inside using
' conn.Close() not needed when inside using
Return geography_units
End Using
End Function
Also worth of note is the point in which I have used the Add method to add the parameter to the collection.另外值得注意的是,我使用Add方法将参数添加到集合中。 The AddWithValue , while convenient, is the cause of a lot of bugs because it defines the type of the parameter looking at the argument received. AddWithValue虽然方便,但却是许多错误的原因,因为它定义了查看接收到的参数的参数类型。 This could end very badly when you pass dates or decimal numbers directly from a string.当您直接从字符串传递日期或十进制数字时,这可能会以非常糟糕的方式结束。
解决方案2
0 2021-01-05 17:07:11
Quite simply, as valeur is a string then your query needs to be as follows很简单,因为 valeur 是一个字符串,所以您的查询需要如下
"select ID,description from geography_unit where critere = '" & valeur & "'" “选择 ID,来自 geography_unit 的描述,其中 Critere = '” & valeur & “'”
If valeur was numeric then the format should be as follows "select ID,description from geography_unit where critere = " & valeur如果 valeur 是数字,则格式应如下“select ID,description from geography_unit where critere =” & valeur
Note the difference where single quotes are included within double quotes around the variable when it is a string.请注意当变量是字符串时,单引号包含在变量周围的双引号中的区别。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.