如何在VB.net中我们可以为SQL编码字符串 [英] How in VB.net we can encode string for SQL

问题描述

例如，在sql中

所有`应该被替换为``对？

all ` should be replaced with `` right?

嗯，vb.net内置的函数是否已经有这样的事情？

Well, is there a function built in by vb.net that does that sort of thing already?

这样我就不用编码了。

顺便说一下，我不直接访问sql数据库。基本上我正在创建一个文本文件，该文本文件包含raw sql语句。大部分答案都是直接访问sql数据。

By the way, I do not access sql database directly. Basically I am creating a text file and that text file contains raw sql statements. Most of the answers deal with accessing sql data directly.

推荐答案

我不认为只有这样，像这样做是相关的，如果你正在做内联SQL命令没有参数。

I don't think so as I think the only case where something like this would be relevant is if you were doing inline SQL Commands without parameters.

这有一个风险 SQL Injection ，因此您应该创建如下命令：

This has a risk of SQL Injection, and therefore you should create commands like this:

Dim cmd As New SqlCommand("UPDATE [TableA] SET ColumnA=@ColumnA WHERE ID=@ID", Conn)
cmd.Parameters.Add("@ColumnA", SqlDbType.NVarChar).Value = txtColumnA.Text
cmd.Parameters.Add("@ID", SqlDbType.Int).Value = ID
cmd.ExecuteNonQuery()

这篇关于如何在VB.net中我们可以为SQL编码字符串的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！