stackoom
  简体   繁体   中英

retrieving special characters from database to C#

 原文  2016-09-16 03:26:25       c#/ asp.net/ sql-server

Question

i have a data in my database 'A Plus 18" Stand Fan' without the single quote. i used nvarchar to save the data as it is, but when i try to retrieve it from the database, the data is returning 'A Plus 18\\" Stand Fan' . I tried using WebUtility.HtmlDecode and HtmlUtility.Html.Decode also WebUtility.UrlDecode . Can someone help me? thanks!

here is my code where i read the data from the database for comparison. the "Model" is the one i need to fix 

for (int y = 0; y < dt.Rows.Count; y++)
        {
            model = dt.Rows[y]["ItemModel"].ToString();
            string companys = "";

            companys = dt.Rows[y]["Company"].ToString();



            //getAMS(model, quan);
            Utility a = new Utility();
            string com = a.PO();
            SqlConnection con = new SqlConnection(com);
            SqlCommand read = con.CreateCommand();
            SqlDataReader reader = null;
            string stat = "Delivered";

            string mod = "SELECT SUM(Quantity) as Quantity from vConsumables_Balance where Model ='" + model + "' AND Company = '" + companys + "' AND Status = 'Delivered'";

            try
            {
                con.Open();
                read.CommandText = mod;
                reader = read.ExecuteReader();
            }
            catch (System.Exception)
            {
                Console.WriteLine("Error");
            }

            while (reader.Read())
            {

                    quan = reader.GetDecimal(0).ToString();



            }

1 answers

solution1
 1 ACCPTED  2016-09-16 08:17:48

The code line string mod = "SELECT SUM(Quantity) as Quantity from vConsumables_Balance where Model ='" + model + "' AND Company = '" + companys + "' AND Status = 'Delivered'"; shows that you are creating SQL queries by concatenating string manually. I assume you did the same when inserting the data into the database and used some tool of your own for escaping some characters.

That is a bad idea. You should change all your queries to parameterized queries. That will help you with other issues you are likely to encounter: formatting of numbers and dates, and it will also provide some protection against SQL injection attacks.

As for the Status column, I'd suggest to use an integer value representing an enumeration value instead of a string.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Eliminate special characters from CSV with C# Extract special characters from a text in C# C# special characters C# and special characters Saving and retrieving an image from database in c# Retrieving data from database in Visual C# Retrieving total count from database to c# Retrieving records from Database in C# C# Retrieving transitive data from database Retrieving records from a database in C# 2008
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM