带撇号的sql查询 [英] sql query with apostrophe
问题描述
我在dotnetnuke的SQLGridSelectedView中遇到问题,如果我在姓氏"文本框中键入 O''Connell ,我将无法获得详细信息,但是如果键入 Connell 而不是我''将获得所有详细信息.
例如:
名字= Daniel
姓氏= O''Connell
SQL语句(仅适用于SELECT或EXEC): SELECT姓氏AS [姓氏],名字AS [姓氏],办公室AS位置,部门,电话,"" + WindowsEmailAddress +'' ''作为来自crestron_directory的电子邮件,(姓氏不是空且姓氏<>'''')AND(姓氏不是空且姓氏<>'''')AND((((WindowsEmailAddress< ;>``gfeldstein@crestron.com'')AND(WindowsEmailAddress<> lfeldstein@crestron.com'')AND(WindowsEmailAddress<>``'')AND(WindowsEmailAddress不为null)) )
文本搜索
搜索子句:(姓氏类似''%[Search2:Text]%'')
我已经尝试过
-(LastName LIKE''%''''[[Search2:Text]%'')
-(LastName LIKE''%''''''[Search2:Text]%'')
-(LastName LIKE''%\''[Search2:Text]%'')
-(LastName LIKE''%''''[[Search2:Text]%'')
-(LastName LIKE''%"+ [Search2:Text] +"%'')
-(LastName LIKE''%"+ [Search2:Text] +"%"
")
谢谢
Hi,
I am facing a probleam in SQLGridSelectedView from dotnetnuke, If I type O''Connell in my LastName Textbox I coudn''t get the detail but if I type Connell than I''ll get all the details.
For Example :
First Name = Daniel
Last Name = O''Connell
SQL Statement(SELECT or EXEC Only): SELECT LastName AS [Last Name], FirstName AS [First Name],Office AS Location, Department, Phone, ''''+WindowsEmailAddress+'''' AS Email FROM crestron_directory WHERE (LastName IS NOT NULL AND LastName <> '''') AND (FirstName IS NOT NULL AND FirstName <> '''') AND (((WindowsEmailAddress <> ''gfeldstein@crestron.com'') AND (WindowsEmailAddress <> ''lfeldstein@crestron.com'') AND (WindowsEmailAddress <> '''') AND (WindowsEmailAddress is not null)))
Text Search
Search Clause: (LastName LIKE ''%[Search2:Text]%'')
I have tried
-(LastName LIKE ''% ''''[Search2:Text]%'')
-(LastName LIKE ''% ''''''[Search2:Text]%'')
-(LastName LIKE ''% \''[Search2:Text]%'')
-(LastName LIKE ''% ''''[Search2:Text]%'')
-(LastName LIKE ''%" + [Search2:Text] + "%'')
-(LastName LIKE ''%" + [Search2:Text] + "%''
")
Thank you
推荐答案
您可以轻松地找到如何转义撇号和其他方法,例如:
http://www.sqlteam.com/article/apostrophes-and-quotation-标记为sql-server的服务器 [ ^ ]或毕竟:
http://bit.ly/x5qYJi [ ^ ].
不过,这几乎是无关紧要的.您应该考虑非常不同的事情:"O''Connel这样的文本如何进入您的查询?我可以告诉你:它永远不会出现在查询中.什么,您在源代码中硬编码一个人的名字吗?不?然后,您可能会在运行时(甚至可能是交互式用户输入)中编写命令字符串.
您绝对不应该这样做.您需要使用参数化查询.请参阅:
http://msdn.microsoft.com/en-us/library/ms254953.aspx [ ^ ].
如果使用参数查询,甚至不会考虑撇号的问题:您将实际值分配给类型的参数.对于字符串,请按原样提供字符串值.即使里面有一个空字符. :-)
如果我的论据还不能使您信服,请考虑一下安全性:从输入中构成查询文本非常危险.请阅读有关 SQL注入的危险和参数化语句的作用:
http://en.wikipedia.org/wiki/SQL_injection [
You could easily find out how to escape the apostrophe and other things, for example:
http://www.sqlteam.com/article/apostrophes-and-quotation-marks-in-sql-server[^], or after all:
http://bit.ly/x5qYJi[^].
This is almost irrelevant though. You should think about very different thing: how come such text as "O''Connel" can get into your query? I can tell you: it should never appear in a query. What, do you hard-code a person''s name in the source code? No? Then you probably compose a command string from during run time, probably even from interactive user input.
You should never do this. You need to use parametrized queries. Please see:
http://msdn.microsoft.com/en-us/library/ms254953.aspx[^].
If you use parametrize queries, the problem of the apostrophe won''t even come into consideration: you assign actual values to the parameters, which are types. In the case of string, you supply a string value as it is. Even with a null character inside. :-)
If my arguments are not yet convincing to you, think about the security: composing the text of the query from the input is simply prohibitively dangerous. Please read about the danger of SQL Injection and the role of parametrized statements:
http://en.wikipedia.org/wiki/SQL_injection[^].
—SA
一个选项是用两个单引号替换单引号,类似于:
One option is to replace the single quote with two single quotes, similar to this:
replace(FIELD, "'", "''")
这篇关于带撇号的sql查询的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!