如何在VB.net中我们可以为SQL编码字符串 [英] How in VB.net we can encode string for SQL
问题描述
例如,在sql中
所有`应该被替换为``对?
all ` should be replaced with `` right?
嗯,vb.net内置的函数是否已经有这样的事情?
Well, is there a function built in by vb.net that does that sort of thing already?
这样我就不用编码了。
顺便说一下,我不直接访问sql数据库。基本上我正在创建一个文本文件,该文本文件包含raw sql语句。大部分答案都是直接访问sql数据。
By the way, I do not access sql database directly. Basically I am creating a text file and that text file contains raw sql statements. Most of the answers deal with accessing sql data directly.
推荐答案
我不认为只有这样,像这样做是相关的,如果你正在做内联SQL命令没有参数。
I don't think so as I think the only case where something like this would be relevant is if you were doing inline SQL Commands without parameters.
这有一个风险 SQL Injection ,因此您应该创建如下命令:
This has a risk of SQL Injection, and therefore you should create commands like this:
Dim cmd As New SqlCommand("UPDATE [TableA] SET ColumnA=@ColumnA WHERE ID=@ID", Conn)
cmd.Parameters.Add("@ColumnA", SqlDbType.NVarChar).Value = txtColumnA.Text
cmd.Parameters.Add("@ID", SqlDbType.Int).Value = ID
cmd.ExecuteNonQuery()
这篇关于如何在VB.net中我们可以为SQL编码字符串的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!