C#数据集中的单引号问题 [英] Single quote issue in C# dataset
本文介绍了C#数据集中的单引号问题的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我正在运行oracle查询并将数据存储在数据集中(dsDataSet)
步骤2:将其复制到datatable。
dtAEDetails = dsDataSet.Tables [0 ] .Copy();)
步骤3:将数据表存储到访问数据库中。
我在数据表中遇到问题,一个字段具有单引号的数据表中的Desc1(例如:
'SCHOLAR'S EDGE THE AGGR P'
以下代码插入数据表进入访问数据库。
如果数据表行> 0然后插入访问数据库。
DESC1字段有单引号,如何在插入前用双引号替换单引号数据库。
if(dtAEDetails.Rows.Count> 0)
{
//设置params
foreach(DataRow) drAEDetails in dtAEDetails.Rows)
{
sInsertValues =
'+ drAEDetails [OFFICE ] .ToString()+','
+ drAEDetails [AE]。ToString()+','< pre> if(dtAEDetails.Rows.Count> 0)
{
//设置params
foreach(dtAEDetails.Rows中的DataRow drAEDetails)
{
sInsertValues =
'+ drAEDetails [OFFICE]。ToString()+','
+ drAEDetails [AE]。ToString()+','
+ drAEDetails [SETDATE]。ToString()+','
+ drAEDetails [ACCT]。ToString()+','
+ drAEDetails [SHORT]。ToString ()+','
+ drAEDetails [BS]。ToString()+','
+ drAEDetails [SHARES]。ToString()+','
+ drAEDetails [DESC1]。ToString()+','
+ drAEDetails [PRICE]。ToString()+','
+ drAEDetails [PRINC]。ToString()+','
+ drAEDetails [GROSS]。ToString()+','
+ drAEDetails [STAND]。 ToString()+','
+ drAEDetails [NET]。ToString()+','
+ drAEDetails [NEWNET]。ToString()+','
+ drAEDetails [AECHG]。ToString()+','
+ drAEDetails [BONUS]。ToString()+','
+ drAEDetails [ BT]。ToString()+','
+ drAEDetails [CANCEL]。ToString()+','
+ drAEDetails [TRANSCODE]。ToString() +','
+ drAEDetails [ORDERSORT]。ToString()+','
+ drAEDetails [REALGR]。ToString()+','
+ drAEDetails [ANNUITYNET]。ToString()+','
+ drAEDetails [RECORDID]。ToString()+','
+ drAEDetails [USER_CODE_1]。 ToString()+','
+ drAEDetails [USER_CODE_7]。ToString()+';
insertAEdetails.ParmValue = sInsertValues;
insertAEdetails.InsertIntoAccess();
如何在desc字段中将单引号替换为双引号并将其存储到数据集中,替换后我想将其存储到datatable中。怎么做。
请指导我。
谢谢
我尝试了什么:
我想更换查询,但我的colegue说这很容易代码。
你能不能给我一个想法。
解决方案
你不要替换单引号。您可以将数据库处理代码(可能是使用字符串连接)更改为使用参数化查询。
谷歌SQL注入攻击找出你的原因'做得太糟糕了。然后谷歌C#参数化查询找出如何解决它。
问题是你的查询方式都是错误的 - 而且非常危险。
永远不要连接字符串以形成SQL命令:它会让你对SQL注入的东西敞开大门,这可能会损坏,破坏或将数据库移交给用户,或允许他随意绕过你的登录要求。它也会导致这样的问题...
总是使用参数化查询,这是唯一安全的方法。
你需要做的第一件事是修复你的其他所有查询应用程序:只留下一个,你最好确保你有好的,坚实的,经常备份你的数据库,因为你要经常恢复它...
你的问题是非常流行的SQL注入问题。
永远不要通过连接字符串来构建SQL查询。迟早,您将使用用户输入来执行此操作,这会打开一个名为SQL注入的漏洞,这对您的数据库很容易并且容易出错。
名称中的单引号你的程序崩溃。如果用户输入像Brian O'Conner这样的名称可能会使您的应用程序崩溃,那么这是一个SQL注入漏洞,崩溃是最少的问题,恶意用户输入,并且它被提升为具有所有凭据的SQL命令。
SQL注入 - 维基百科 [ ^ ]
SQL注入 [ ^ ]
按示例进行SQL注入攻击 [ ^ ]
PHP:SQL注入 - 手册 [ ^ ]
SQL注入预防备忘单 - OWASP [ ^ ]
I am running oracle query and getting the data storing it in dataset(dsDataSet)
STEP 2 :Copying it to datatable.
dtAEDetails= dsDataSet.Tables[0].Copy();)
Step 3 : storing the datatable into access database.
I am having issue in datatable, one field Desc1 in datatable having single quote(ex:
'SCHOLAR'S EDGE THE AGGR P'
The below code is inserting datatable into access database.
if datatable rows >0 then inserting into access database.
DESC1 field is having single quote , how to replace single quote with double quote before insert into database.
if (dtAEDetails.Rows.Count > 0)
{
//Set up the params
foreach (DataRow drAEDetails in dtAEDetails.Rows)
{
sInsertValues =
"'" + drAEDetails["OFFICE"].ToString() + "','"
+ drAEDetails["AE"].ToString() + "','"<pre> if (dtAEDetails.Rows.Count > 0)
{
//Set up the params
foreach (DataRow drAEDetails in dtAEDetails.Rows)
{
sInsertValues =
"'" + drAEDetails["OFFICE"].ToString() + "','"
+ drAEDetails["AE"].ToString() + "','"
+ drAEDetails["SETDATE"].ToString() + "','"
+ drAEDetails["ACCT"].ToString() + "','"
+ drAEDetails["SHORT"].ToString() + "','"
+ drAEDetails["BS"].ToString() + "','"
+ drAEDetails["SHARES"].ToString() + "','"
+ drAEDetails["DESC1"].ToString()+ "','"
+ drAEDetails["PRICE"].ToString() + "','"
+ drAEDetails["PRINC"].ToString() + "','"
+ drAEDetails["GROSS"].ToString() + "','"
+ drAEDetails["STAND"].ToString() + "','"
+ drAEDetails["NET"].ToString() + "','"
+ drAEDetails["NEWNET"].ToString() + "','"
+ drAEDetails["AECHG"].ToString()+ "','"
+ drAEDetails["BONUS"].ToString()+ "','"
+ drAEDetails["BT"].ToString() + "','"
+ drAEDetails["CANCEL"].ToString() + "','"
+ drAEDetails["TRANSCODE"].ToString() + "','"
+ drAEDetails["ORDERSORT"].ToString() + "','"
+ drAEDetails["REALGR"].ToString() + "','"
+ drAEDetails["ANNUITYNET"].ToString() + "','"
+ drAEDetails["RECORDID"].ToString() + "','"
+ drAEDetails["USER_CODE_1"].ToString() + "','"
+ drAEDetails["USER_CODE_7"].ToString() + "'";
insertAEdetails.ParmValue = sInsertValues;
insertAEdetails.InsertIntoAccess();
how to replace single quote into double quote in desc field and store it to dataset, after replacing I want to store it into datatable . how to do it.
Please guide me.
Thanks
What I have tried:
I thought of replacing in query , but my colegue said it's easy in code.
can you please give me idea.
解决方案
You don't replace the single quote. You change your database handling code, which is probably written use string concatenation, to using parameterized queries instead.
Google for "SQL Injection Attack" to find out why what you're doing is so bad. Then Google for "C# parameterize query" to find out how to fix it.
The problem is that the way you do your queries is all wrong - and very dangerous.
Never concatenate strings to form SQL commands: it leaves you wide open to something called SQL Injection, which can damage, destroy, or hand over your database to the user, or allow him to bypass your login requirements at will. And it causes problems like this as well...
Always use parameterized queries instead, it's the only way to be safe.
And the first thing you need to do is fix every other query in you Application: leave just one in there, and you better make sure you have good, solid, frequent backups of your DB, because you are going to be restoring it often...
Your problem is the very popular SQL Injection problem.
Never build an SQL query by concatenating strings. Sooner or later, you will do it with user inputs, and this opens door to a vulnerability named "SQL injection", it is dangerous for your database and error prone.
A single quote in a name and your program crash. If a user input a name like "Brian O'Conner" can crash your app, it is an SQL injection vulnerability, and the crash is the least of the problems, a malicious user input and it is promoted to SQL commands with all credentials.
SQL injection - Wikipedia[^]
SQL Injection[^]
SQL Injection Attacks by Example[^]
PHP: SQL Injection - Manual[^]
SQL Injection Prevention Cheat Sheet - OWASP[^]
这篇关于C#数据集中的单引号问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
