开发者

replace method mechanism

问答 作者:

i face the following problem::

i wanna to escape the following character ' single quote:

it works when making this test through :the built in method Replace("'","''");

as this code below :(just a test) it works

protected void btn_insert_Click(object sender, EventArgs e)
{
            lbl.Text = string.Empty;
            SqlConnection mycon = new SqlConnection(Constr);`

            SqlCommand mycommand = new SqlCommand("INSERT INTO details VALUES('" + txt.Text.Replace("'", "''") + "','" + txt.Text.Replace("'", "''")+ "')", mycon);

            mycon.Open();
            int affectedRows = 0;

            affectedRows = mycommand.ExecuteNonQuery();
            mycon.Close();
        }

but i wanna to generalize my solution to work all over the application through my Insert method in the data access layer:

public static int InsertEntity(string tblName, Dictionary<string, string> dtParams)
        {
            int Result = -1;
            DBConnection DAL_Helper = new DBConnection("");
            string[] field_names = new string[dtParams.Count];
            dtParams.Keys.CopyTo(field_names, 0);
            string[] field_values = new string[dtParams.Count];
            dtParams.Values.CopyTo(field_values, 0);
            for (int i = 0; i < field_values.Length; i++)
            {
                field_value开发者_开发知识库s[i].Replace("'", "''");
            }
            string insertCmd = "INSERT INTO " + tblName + " (" + string.Join(",", field_names) + ") values ('" + string.Join("','", field_values) + "')";

            Result = DAL_Helper.Execute_NonQuery(insertCmd);
            return Result;
        }

this not escaping the ' single quote charecter,although i use Replace("'","''");

what is the problem ,,how to fix this problem?

I strongly recommend you use Command Parameters using SqlCommand.Parameters collection instead of your approach.

Problem is here :

        for (int i = 0; i < field_values.Length; i++)
        {
            field_values[i].Replace("'", "''");
        }

Replace it with :

        for (int i = 0; i < field_values.Length; i++)
        {
            field_values[i] = field_values[i].Replace("'", "''");
        }

Building on decyclone's answer. CommandParameters are the way to go here, you are just re-inventing it with your own code.

I have found a very nice clear example here for supplying params to a SQL statement.

http://dotnetperls.com/sqlparameter

        using (SqlCommand command = new SqlCommand("SELECT * FROM Dogs1 WHERE Name LIKE @Name", connection))
        {
            string dogName = "Mc'Dougal";
            //
            // Add new SqlParameter to the command.
            //
            command.Parameters.Add(new SqlParameter("Name", dogName));
            //
            // Read in the SELECT results.
            //
            SqlDataReader reader = command.ExecuteReader();
        }

继续阅读:.netasp.netsql-server

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9