查询分隔符 [英] query delimiters
问题描述
我有一个查询,并将字段插入表中。通常工作。我用
用单引号('')分隔字段。问题是某些字段
(row(0)或row(1))有单引号。怎么做?
Dim strSQL As String =" INSERT INTO tbl_All_X12(field1,field2)" &安培; _
" values(''"& row(0)&"'',''"& row(1)&"'');"
Jim< jo ******** @ RemoveThisStuffNetscape.netwrote in
news:ON * ***************************** @ massilloncab letv.com:
我有一个查询,并将字段插入表中。通常工作。我用
用单引号('')分隔字段。问题是某些字段
(row(0)或row(1))有单引号。该怎么办?
不要连接SQL字符串。使用SQL参数。
这样做了。谢谢。我是新手,我只是用我发现有效的东西来扼杀代码
。
Spam Catcher写道:
< blockquote class =post_quotes>
Jim< jo ******** @ RemoveThisStuffNetscape.netwrote in
news:ON *********** ******************* @ massilloncab letv.com:
>我有一个查询,我正在插入字段成表。通常工作。我用单引号('')分隔字段。问题是某些字段
(row(0)或row(1))有单引号。该怎么办?
不要连接SQL字符串。使用SQL参数。
Jim< jo ******** @ RemoveThisStuffNetscape.netwrote in news:is-
DN ************** *************@massilloncabletv.com :
这样做了。谢谢。我是一个新手,我只是用我发现有效的东西来扼杀代码
。
FYI,我建议不使用串联的原因是因为它将
暴露给SQL注入代码。正如您所注意到的那样,将单词引号('')转义为单引号('')可能导致您的SQL代码爆炸。黑客可以使用转义字符来修改sql字符串并运行意外的SQL(即
DELETE FROM TABLE);-)
I have a query and am inserting fields into a table. Works usually. I
delimit the fields with single quotes (''). The problem is some fields
(row(0) or row(1)) have single quotes. What to do?
Dim strSQL As String = "INSERT INTO tbl_All_X12 (field1, field2) " & _
"values (''" & row(0) & "'',''" & row(1) & "'');"
Jim <jo********@RemoveThisStuffNetscape.netwrote in
news:ON******************************@massilloncab letv.com:
I have a query and am inserting fields into a table. Works usually. I
delimit the fields with single quotes (''). The problem is some fields
(row(0) or row(1)) have single quotes. What to do?
Don''t concatante SQL strings. Use SQL paramters.
That did it. thanks. I''m a newbe at this and I just sniped the code
out of something I found that worked.
Spam Catcher wrote:Jim <jo********@RemoveThisStuffNetscape.netwrote in
news:ON******************************@massilloncab letv.com:
>I have a query and am inserting fields into a table. Works usually. I
delimit the fields with single quotes (''). The problem is some fields
(row(0) or row(1)) have single quotes. What to do?
Don''t concatante SQL strings. Use SQL paramters.
Jim <jo********@RemoveThisStuffNetscape.netwrote in news:is-
dn***************************@massilloncabletv.com:
That did it. thanks. I''m a newbe at this and I just sniped the code
out of something I found that worked.
FYI, the reason why I suggested not to use concatenation is because it
exposes your code to SQL injection. As you noticed, escape characters such
as single quotes ('') can cause your SQL code to bomb out. A hacker could
mangle the sql string with escape characters and run unexpected SQL (i.e.
DELETE FROM TABLE) ;-)
这篇关于查询分隔符的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!