C#,替换查询中的特殊字符
[英]C#, replacing special character in query
问题描述
I have a record in a database containing special characters like &,' (apostrophe). 
我在数据库中有一条记录,其中包含特殊字符,例如&,' (撇号)。
The record look like this.. stack'overflow . 记录看起来像这样.. stack'overflow 。
In my query I have written like this. 在我的查询中,我这样写。
where name = ' " +name+ " ' ";
Suppose the name is stack'overflow - then it gives me a syntax error. 假设名称为stack'overflow那么它给了我一个语法错误。
How to solve it? 怎么解决呢?
I am using C# 我正在使用C#
6 个解决方案
解决方案1
4 2011-03-15 15:03:08
Your question is very unclear but the answer is almost certainly going to be not to include data in SQL statements. 您的问题尚不清楚,但是答案几乎肯定是不会在SQL语句中包含数据。 Use a parameterized query instead, so you don't need to worry about performing any escaping etc yourself. 而是使用参数化查询,因此您无需担心自己执行任何转义等操作。
As an example, have a look at the SqlCommand.Parameters documentation - but be aware that different DB providers use different approaches to parameters (eg named vs positional). 作为示例,请查看SqlCommand.Parameters文档-但要注意,不同的数据库提供程序使用不同的参数方法(例如,命名方法与位置方法)。
解决方案2
2 2011-03-15 15:03:55
Dont append text into a query. 不要在查询中附加文字。 Search google for SQL Injection. 在Google中搜索SQL注入。 Its a big problem and you shouldnt be doing this. 这是一个大问题,您不应该这样做。 You are potentially leaving yor application open to serious attack. 您可能会使您的应用程序容易受到严重攻击。
One solution is to use SQL parameters instead in your queries. 一种解决方案是在查询中使用SQL参数。 Take a look here for further information : Adding Parameters to Commands 在此处查看更多信息: 在命令中添加参数
解决方案3
2 2011-03-15 15:04:16
Use parameterized queries . 使用参数化查询 。 They will handle the escaping of special characters for you and will help guard against SQL injection attacks. 他们将为您处理特殊字符的转义,并有助于防御SQL注入攻击。 They also provide a better mechanism for the SQL server to cache an execution path to improve performance. 它们还为SQL Server提供了更好的机制来缓存执行路径以提高性能。
Never, ever, ever use concatenated SQL. 永远,永远, 永远使用串联SQL。
解决方案4
2 2011-03-15 15:05:47
A better way to do this would be to use parameterized queries. 更好的方法是使用参数化查询。 String building for SQL can be pretty dangerous if the data is not santized properly beforehand. 如果事先未正确地对数据进行语法处理,则用于SQL的字符串构建可能非常危险。
Try something like this: 尝试这样的事情:
string query = "SELECT * FROM myTable WHERE name = @p_name";
SqlCommand cmd = new SqlCommand(query, sqlConnection);
cmd.Parameters.AddWithValue("@p_name",yourTextItem);
Updated for your situation: 针对您的情况进行了更新:
string myName = TextBox1.Text;
string query = "SELECT * FROM myTable WHERE name LIKE %@p_name%";
SqlCommand cmd = new SqlCommand(query, sqlConnection);
cmd.Parameters.AddWithValue("@p_name",myName);
解决方案5
0 已采纳 2011-03-15 15:02:45
You need to use parameters. 您需要使用参数。
For more information, consult the documentation for whatever you're using. 有关更多信息,请查阅文档以了解所使用的内容。
解决方案6
0 2011-03-15 15:03:02
replace "'" with "''" in your name variable before passing in and you should be fine. 在传入之前在名称变量中用"''"替换"'" ,您应该可以。
EDIT: 编辑:
Yes This would just be a temporary solution. 是的,这只是一个临时解决方案。 To permanantly get rid of your problem please use parameterized query. 要永久解决您的问题,请使用参数化查询。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.