[英]How to insert string containing single or double quotes
If I want to insert a statement which contains quotation mark, how is it possible ? 如果我要插入包含引号的语句,怎么可能?
For Example I have a text box and I enter: 例如,我有一个文本框,然后输入:
Future Swami Vivekananda’s grand father's name was "____" .
If you use properly parameterized statements , you shouldn't need to worry about it. 如果使用正确的参数化语句 ,则无需担心。 Something like this (though please don't learn C# techniques from me):
像这样的东西(尽管请不要向我学习C#技术):
string sql = @"UPDATE dbo.table SET col = @p1 WHERE ...;";
string myString = @"hello'foo""bar";
SqlCommand cmd = new SqlCommand(sql, conn);
cmd.CommandType = CommandType.Text;
SqlParameter p1 = cmd.Parameters.AddWithValue("@p1", myString);
cmd.ExecuteNonQuery();
(Though you really should be using stored procedures.) (尽管您确实应该使用存储过程。)
If you are building your strings manually (which you really, really, really shouldn't be doing), you need to escape string delimiters by doubling them up: 如果您是手动构建字符串(实际上,实际上,实际上不应该这样做),则需要通过将它们加倍来转义字符串定界符:
INSERT dbo.tbl(col) VALUES('hello''foo"bar');
Use a parameterized query - then quotes don't matter at all . 使用参数化查询-那么行情并不重要的 。 Also - your database doesn't get taken over by SQL injection - so win/win really.
另外-您的数据库不会被SQL注入所接管-因此,双赢确实如此。
You can double up the quote: 您可以将报价加倍:
INSERT INTO table
VALUES ('Future Swami Vivekananda''s grand father''s name was "____"')
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.