从SQL自定义传递值时，它的显示有自定义&＃39;小号 [英] While passing the value from SQL custom's , its is show has custom' s

问题描述

我有一个Store proc，其中我得到了公司的名称，其中一个公司有撇号For Example- custom's但在服务器方面我得到的是定制& ＃3 9; s，因此它给了我错误

I have an Store proc in which I am getting the name of the company , One of the Company has the apostrophe For Example- custom's but in Server side i am getting has custom & # 3 9; s , hence it is giving me error

public ActionResult OfferDocument()
        {
            List<IIFL_IB_Prospects> lstProspects = new List<IIFL_IB_Prospects>();
            InvestmentBankingParent IBParent = new InvestmentBankingParent();
            SessionParams.IBRenderMode = "0";
            DataSet ds = new DataSet();
            IIFL_IB_Prospects IIFL_IB_Prospects;
            setUserName();
            try
            {
                ds = getProspects();

                foreach (DataRow dr in ds.Tables[0].Rows)
                {
                    IIFL_IB_Prospects = new IIFL_IB_Prospects();
                    IIFL_IB_Prospects.CompanyName = Server.HtmlEncode(Convert.ToString(dr["companyname"]));
                    lstProspects.Add(IIFL_IB_Prospects);
                }


                

                IBParent.Prospects = lstProspects;
                IBParent.recentTransaction = getKeyTransaction();
                IBParent.testimonials = getClientTestimonials();
            }
            catch (Exception ex)
            {
                string msg = ex.Message + " at " + DateTime.Now + " From RecentTransaction";
                LogObj.writeLog("ErrorLogIB.txt", msg);              
            }

            obj.trackUser("View Investment Banking/Offer document");
            //return View(new IIFL_IB_Prospects(lstProspects));
            return View(IBParent);
        }

我的尝试：



我有

What I have tried:

I have

IIFL_IB_Prospects.CompanyName=Server.HtmlEncode(Convert.ToString(dr["companyname"]));

推荐答案

可能 - 如果没有看到您用来访问数据或将数据存储到数据库中的代码，我们就不能肯定地说 - 这是由于你犯了一个大错误，让你的数据库对SQL注入开放。当您连接字符串以形成SQL命令时：

Probably - and without seeing the code you use to access or store the data into the DB we can't tell for sure - it's down to you making a huge mistake, and leaving your DB wide open to SQL Injection. When you concatenate strings to form an SQL command:

string sql = "INSERT INTO MyTable (CompanyName) VALUES ('" + txtCompanyName.Text + "')";

用户可以通过自己的数据库做他喜欢的事情 - 包括删除它 - 只需键入在文本框中，以及像这样的问题，公司名称中的撇号终止SQL字符串并导致问题。



永远不要连接字符串来构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度，这可能会破坏您的整个数据库。请改用参数化查询。一旦你修复了你的数据库数据，你可能会同时消失其他问题。

You are both wide open to the user doing what he likes with your DB - including deleting it - just by typing in a textbox, and to problems like this, where the apostrophe in the company name terminates the SQL string and causes problems.

Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead. Chances are you other problems will go away at the same time, once you fix your DB data as well.

这篇关于从SQL自定义传递值时，它的显示有自定义&＃39;小号的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！