MySQL和vb.net中的Qoutation makrs [英] Qoutation makrs in MySQL and vb.net

问题描述

我正在尝试插入搜索或读取带有''标记的数据并且正在回复有关MySQL语法的错误，如何在查询中使用''？

解决方案

不要！答案很简单。



使用参数化查询 - 这样你也不会受到SQL注入攻击的攻击，这可能会破坏或破坏你的数据库。

所有内容都显示在MySQL文档中;很难咨询吗？



这是如何逃避''和其他字符：http://dev.mysql.com/doc/refman/5.0/en/string-literals.html [ ^ ]。



但是，根问题可能不同。你是通过将一些SQL语言结构与数据连接来获得SQL查询吗？即使它有效，这也不是正确的事情。您最好使用参数化语句。请参阅：

http://msdn.microsoft.com/en-us/library/ms254953.aspx [ ^ ]，

http://msdn.microsoft.com/ en-us / library / yy6y35y8％28v = vs.80％29.aspx [ ^ ]。



不仅它通常更好，而且会帮助您避免逃避问题，它也更安全，这非常重要。特别是，它可以帮助您免受名为 SQL注入的众所周知的漏洞的攻击：

http://en.wikipedia.org/wiki/SQL_injection [ ^ ]。



请注意 3.1 解释参数化陈述的重要性。

-SA

I''m trying to insert of search or read for data with the '' marks in and am reciving an error about MySQL syntax, how can I use the '' in a query?

解决方案

"Don''t!" Is the simple answer.

Use parameterized queries instead - that way you will also not be vulnerable to SQL injection attacks, which can damage or destroy your database.

Everything is shown in MySQL documentation; was to so hard to consult it?

This is how to escape '' " and other characters: http://dev.mysql.com/doc/refman/5.0/en/string-literals.html[^].

However, it''s possible that the root problem is different. Do you obtain SQL query by concatenating some SQL language constructs with data? Even if it works, this is not a right thing to do. You should better use parametrized statements instead. Please see:
http://msdn.microsoft.com/en-us/library/ms254953.aspx[^],
http://msdn.microsoft.com/en-us/library/yy6y35y8%28v=vs.80%29.aspx[^].

Not only it''s generally better and will help you to avoid escaping problems, it''s also much safer, which is very important. In particular, it can help you to get protected from a well-known exploit called SQL injection:
http://en.wikipedia.org/wiki/SQL_injection[^].

Note the section 3.1 explaining the importance of parametrized statements.

—SA

这篇关于MySQL和vb.net中的Qoutation makrs的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！