將括號或引號保存到vb.net中的sql中

Question

我在vb項目中有一個保存命令。 問題是它不會保存帶有“”或括號的文本。 我認為這與sql命令有關。這是我用於保存和更新的代碼

保存

  Dim myAdapter As New MySqlDataAdapter
            Dim myDatatable As New DataTable
            Dim command As New MySqlCommand
            Dim add As String

            add = "INSERT INTO tracker.recordtracker (Action_Taken,Marginal_Note,Remarks,Type_of_Document,Referred_Date,Items,Received_From,Received_Date,Referred_To,recdate,refdate)values('" + acttaken.Text + "','" + margnote.Text + "','" + remarks.Text + "','" + doctype.Text + "','" + rfrldatelbl.Text + "','" + itemtbx.Text + "','" + rfromtbx.Text + "','" + rcvdate.Text + "','" + reftotbx.Text + "' ,'" + rdate.Text + "',@refdate)"
            command = New MySqlCommand(add, connection)
            refdate.CustomFormat = "yyyy-MM-dd"


            myAdapter.SelectCommand = command
            myAdapter.Fill(myDatatable)
            MsgBox("Data has been successfully added.")
            clearfield()
            loaddatabase()

            connection.Close()
            connection.Dispose()
        Catch ex As Exception
            MsgBox(ex.Message)
        End Try

更新

Try
                connection.Open()
                rcvdate.Text = rdate.Text
                If refdate.Checked = False Then
                    rfrldatelbl.Text = "____-__-__"
                Else
                    refdate.CustomFormat = "yyyy-MM-dd"
                    rfrldatelbl.Text = refdate.Text + " " + TimeOfDay
                End If

                Dim query As String
                query = "update tracker.recordtracker set Action_Taken='" & acttaken.Text & "', Marginal_Note='" & margnote.Text & "', Remarks='" & remarks.Text & "',Type_of_Document='" & doctype.Text & "', Items = '" & itemtbx.Text & "', Referred_To='" & reftotbx.Text & "', Referred_Date='" & rfrldatelbl.Text & "',recdate='" & rdate.Text & "',refdate='" & refdate.Text & "' where id = '" & ID.Text & "'"

                utos = New MySqlCommand(query, connection)
                reader = utos.ExecuteReader

                MsgBox("Data has been changed.")
                connection.Close()
                loaddatabase()

                connection.Close()
                connection.Dispose()
            Catch ex As Exception
                MsgBox(ex.Message)
            End Try

Answer 1

您已經附加了構成SQL查詢的字符串。 您將需要閱讀有關SQL injection以了解為什么這是一個糟糕的主意。 但是從根本上講，它允許任何有權提交將您附加到字符串中的值的人控制數據庫。 您可能想要做類似的事情：

Dim sql As String = "INSERT INTO foo (baz) VALUES (@Baz)"

Using cn As New SqlConnection("Your connection string here"), _
    cmd As New SqlCommand(sql, cn)

    cmd.Parameters.Add("@Baz", SqlDbType.VarChar, 50).Value = Baz
    cmd.ExecuteNonQuery()

解決您的問題。

Answer 2

來自MySQL參考

字符串是字節或字符序列，用單引號（“'”）或雙引號（“”“）括起來

所以'是保留字符。
如果要在字符串的內容中使用轉義序列\\'則需要使用轉義序列\\' 。

但是正如@Matt Fellows在他的答案中提到的，在數據​​庫中保存字符串值的更好的做法是SqlParameters
使用SqlParameter您不需要使用轉義序列，字符串將按原樣保存（基於列的類型）

Dim param As New SqlParameter With {.ParameterName="@text",
                                    .SqlDbType = SqlDbType.VarChar,
                                    .Value = "Your 'Name' in quotes"}