堆栈内存溢出
  简体   繁体   English

SQL Server 2005中的单引号和双引号插入查询

[英]Single and double quotes in Sql Server 2005 insert query

 原文  2011-11-14 05:59:44       c#/ asp.net/ sql-server/ sql-server-2005

问题描述

There is single and double quotes in the address textbox .How can I insert into database. 地址文本框中有单引号和双引号。如何插入数据库。 I am using SQL2005. 我正在使用SQL2005。 My code is as follows... 我的代码如下... 

str = "exec sp_cust_reg '" + customer.Cust_Id + "','" + customer.Cust_Name + "','" + customer.Gender + "','" + customer.Acc_no + "','" + customer.Address + "','" + customer.Pin_no + "','" + customer.Phone_no + "','" + customer.Mobile_no + "','" + customer.Email + "','" + customer.Authorise + "'";

Address is jo"hn's house 地址是乔恩的家

Its Text Visualizer is as follows... 其文本可视化器如下... 

exec sp_cust_reg 'C7','George Joseph','Male','0001-212123','jo"hn's house','515151','04862787896','8888888888','johnyqw@gmail.com','N'

I used 我用了 

string sql = str.Replace("\'", " ");.

Then I get 然后我得到 

exec sp_cust_reg  C7 , George Joseph , Male , 0001-212123 , jo"hn s house , 515151 , 04862787896 , 8888888888 , johnyqw@gmail.com , N

3 个解决方案

解决方案1
 8  2011-11-14 06:04:18

One word: DON'T DO IT! 一句话: 不要做!

Use parametrized queries instead - those are both safer (no SQL injection) and easier to work with, and perform better, too! 改用参数化查询 -既安全(无SQL注入),更易于使用,性能也更好! 

SqlCommand cmd = new SqlCommand("dbo.sp_cust_reg", _connection);
cmd.CommandType = CommandType.StoredProcedure;

// add parameters and their values
cmd.Parameters.Add("@CustID", SqlDbType.Int).Value = customer.Cust_Id;
cmd.Parameters.Add("@Cust_Name", SqlDbType.VarChar, 100).Value = customer.Cust_Name;
 ..... and so on - define all the parameters!

_connection.Open();
cmd.ExecuteNonQuery();
_connection.Close();

解决方案2
 1  2011-11-14 06:10:10

You can also use Parameterized queries for giving the values, using the AddWithValue() of Parameters like 您还可以使用参数化查询来提供值,并使用Parameters的AddWithValue() 

SqlCommand cmd = new SqlCommand("dbo.sp_cust_reg",_connection);
cmd.CommandType= CommandType.StoredProcedure;

cmd.Parameters.AddWithValue("@TheDate",customer.Cust_Id);
cmd.Parameters.AddWithValue("@Cust_Name",customer.Cust_Name);

_connection.Open();
cmd.ExecuteNonQuery();
_connection.Close();

Why I am telling to use AddWithValue is - you explicitly set the sqldb.type and SQL knows exactly the dbtype when passed. 为什么要告诉我使用AddWithValue是-您显式设置sqldb.type,并且SQL传递时确切知道dbtype。

解决方案3
 -1 已采纳  2011-11-14 06:01:24

You escape ' as '' . 你逃跑'''

So instead of str.Replace("\\'", " ") use str.Replace("'", "''") 因此str.Replace("\\'", " ")使用str.Replace("'", "''")代替str.Replace("\\'", " ") str.Replace("'", "''")

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 在SQL查询中用双引号替换单引号 - Replacing single quotes with double quotes in SQL Query 如何使用单个查询将数据集中的多个记录插入SQL Server 2005? - How can I use single query to insert multiple records from Dataset into SQL Server 2005? SQL 2005/2008中的转义双引号 - Escape double quotes in SQL 2005/2008 单引号的SQL查询 - SQL Query with single quotes 如何插入包含单引号或双引号的字符串 - How to insert string containing single or double quotes 在Sql Server中插入Double - Insert Double In Sql Server SQL Server 2005中的XML查询 - XML query in SQL Server 2005 用双引号替换单引号 - Replacing single quotes with double Quotes 将字符串插入不带引号的 SQL 查询 - Insert string into SQL query without quotes 压缩SQL Server 2005查询结果? - Compress SQL Server 2005 query results?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM