开发者

Single quote handling in a SQL string

问答 作者:

I have an application where the values in the text field are sent to the database.

For example I have a form with one field 开发者_JAVA技巧(text box). When I press Ok button then the content of the text field is inserted as a record into a table. I'm just trimming and extracting the text box's text into variable and passing it to my SQL string.

The problem is that whenever something like "It's" or "Friend's" the single quote is identified as the end of string. In Delphi I have seen something like QuotedString to avoide this. Any ideas from you?

Don't ever build SQL statements like that, it's very unsafe (read this). Use parameters, i.e:

var command = new SqlCommand("select * from person where firstname = @firstname");
SqlParameter param  = new SqlParameter();
param.ParameterName = "@firstname";
param.Value         = "testing12'3";
command.Parameters.Add(param);

Use .Replace("'","''''")

For example 

string name = txtName.Text.Replace("'","''''");

Now name can be passed as a parameter in stored procedure etc.

Hope this will help you ... 

public static string DoQuotes(string sql)
    {
        if (sql == null)
            return "";
        else
            return sql.Replace("'", "''");
    }

继续阅读:.netescapingsql

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9