C#中的SQL语句 [英] SQL Statement in C#
问题描述
在处理
的引号时,我总是无法编写SQL语句。有人可以用这行ocde帮助我吗?我知道我需要武装起飞。在引号中(我相信)
string sCommand =" SELECT CommandString FROM Commands WHERE CommandName =
Armed Away" ;;
不要这样做。使用存储过程。
但是如果必须使用命令字符串,则需要转义单引号。或者
您可以在字符串文字中使用未转义的单引号,并在其前面加上@ sign
。
所以,要么:
" SELECT CommandString FROM Commands WHERE CommandName = \''Armed Away \''" ;;
或:
@" SELECT CommandString FROM命令WHERE CommandName =''Armed Away''"
HTH
彼得
" Chris" < Ch *** @ discuss.microsoft.com写信息
news:30 ************************* ********* @ microsof t.com ...
>在处理时,我总是遇到编写SQL语句的问题
的报价。有人可以用这行ocde帮助我吗?我知道
我
需要Armed Away在引号中(我相信)
string sCommand =" SELECT CommandString FROM Commands WHERE CommandName =
Armed Away" ;;
string sCommand =" SELECT CommandString FROM Commands WHERE CommandName =
''Armed Away'' " ;;
" Chris" < Ch *** @ discuss.microsoft.com写信息
news:30 ************************* ********* @ microsof t.com ...
>在处理时,我总是遇到编写SQL语句的问题
的报价。有人可以用这行ocde帮助我吗?我知道
我
需要Armed Away在引号中(我相信)
string sCommand =" SELECT CommandString FROM Commands WHERE CommandName =
Armed Away" ;;
Peter Bradley< pb ****** @ uwic.ac.ukwrote:
不要这样做。使用存储过程。
就个人而言,我不同意使用存储过程来获取所有内容,除非是出于安全原因。使用ORM系统,比如
Hibernate,你可以直接执行更丰富的查询,而不是使用存储过程轻松实现
,除非这些过程最终产生动态
SQL(这很麻烦,容易出错)。
更好的选择是使用参数化查询 - 你得到的参数是
的好处通过没有SQL注入的风险
攻击等,但没有为每个查询添加存储过程的开发/维护开销
。
-
Jon Skeet - < sk *** @ pobox.com>
http://www.pobox.com/~skeet 博客: http://www.msmvps.com/jon.skeet
如果回复该群组,请不要给我发邮件
I always have trouble writing a SQL statement when it comes to the handling
of the quotes. Can someone please help me with this line of ocde? I know I
need to have "Armed Away" in quotes too (I believe)
string sCommand = "SELECT CommandString FROM Commands WHERE CommandName =
Armed Away";
Don''t do it. Use a stored procedure.
But if you must use a command string, you want escaped single quotes. Or
you can use unescaped single quotes in your string literal, with the @ sign
preceding it.
So, either:
"SELECT CommandString FROM Commands WHERE CommandName = \''Armed Away\''";
or:
@"SELECT CommandString FROM Commands WHERE CommandName = ''Armed Away''"
HTH
Peter
"Chris" <Ch***@discussions.microsoft.comwrote in message
news:30**********************************@microsof t.com...>I always have trouble writing a SQL statement when it comes to the handling
of the quotes. Can someone please help me with this line of ocde? I know
I
need to have "Armed Away" in quotes too (I believe)
string sCommand = "SELECT CommandString FROM Commands WHERE CommandName =
Armed Away";
string sCommand = "SELECT CommandString FROM Commands WHERE CommandName =
''Armed Away'' ";
"Chris" <Ch***@discussions.microsoft.comwrote in message
news:30**********************************@microsof t.com...>I always have trouble writing a SQL statement when it comes to the handling
of the quotes. Can someone please help me with this line of ocde? I know
I
need to have "Armed Away" in quotes too (I believe)
string sCommand = "SELECT CommandString FROM Commands WHERE CommandName =
Armed Away";
Peter Bradley <pb******@uwic.ac.ukwrote:Don''t do it. Use a stored procedure.Personally I disagree with the idea of using stored procedures for
everything, unless it''s for security reasons. With ORM systems like
Hibernate, you can perform much richer queries directly than are easily
feasible with stored procs unless those procs end up generating dynamic
SQL (which is messy and prone to bugs).
The better alternative is to use a parameterised query - you get the
benefits of the parameters being passed without risk of SQL injection
attacks etc, but without the development/maintenance overhead of having
to add a stored proc for every query.
--
Jon Skeet - <sk***@pobox.com>
http://www.pobox.com/~skeet Blog: http://www.msmvps.com/jon.skeet
If replying to the group, please do not mail me too
这篇关于C#中的SQL语句的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
