单引号处理的SQL字符串 [英] Single quote handling in a SQL string

问题描述

予有其中在文本字段中的值被发送到数据库的应用程序。

I have an application where the values in the text field are sent to the database.

例如我有一个字段（文本框）的形式。当我preSS确定按钮，然后在文本字段的内容作一个记录到表中。我只是修剪和提取文本框的文本变量并将它传递给我的SQL字符串。

For example I have a form with one field (text box). When I press Ok button then the content of the text field is inserted as a record into a table. I'm just trimming and extracting the text box's text into variable and passing it to my SQL string.

的问题是，无论何时类似这或朋友的单引号被识别为字符串的末尾。在德尔福我见过像 QuotedString 来avoide这一点。从你的任何想法？

The problem is that whenever something like "It's" or "Friend's" the single quote is identified as the end of string. In Delphi I have seen something like QuotedString to avoide this. Any ideas from you?

推荐答案

永远不要建立SQL语句这样的，这是非常不安全的 （阅读）。使用参数，即：

Don't ever build SQL statements like that, it's very unsafe (read this). Use parameters, i.e:

var command = new SqlCommand("select * from person where firstname = @firstname");
SqlParameter param  = new SqlParameter();
param.ParameterName = "@firstname";
param.Value         = "testing12'3";
command.Parameters.Add(param);

这篇关于单引号处理的SQL字符串的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！