Single Quote Error
When I insert single quote in search box and press search button it gives error like:
[Microsoft][SQL Server Native Client 开发者_开发知识库 10.0][SQL Server]Unclosed quotation mark after the character string ' '.
You should be using parameterized queries instead of constructing your SQL by concatenation.
This will avoid SQL Injection attacks as well as resolve any single quote issues.
The quick fix it to escape the '
by doubling it (''
), but this would just be a temporary workaround and your code will still be vulnerable.
Parameterize your SQL queries. There are more serious issues than this called SQL Injection.
You need to escape single quotes, like \' as you're using single quotes to surround where-statements, like where i = 'foo', then you need to write where i = '\'' to match a single quote, or lie where i = 'it\'s a good day today'
精彩评论