如何用引号保存字符串 [英] How to save string with quotation mark

问题描述

嗨frds，

我在使用引号如30's Cotton保存字符串时遇到问题。我想保存这个字符串。



我的保存查询



SqlCommand com = new SqlCommand（insert进入Table_Name值（'+ textBox57.Text +'），con）;



但是我收到了错误。我怎样才能解决这个错误。

请尽快回复我。

谢谢

Hi frds,
I have problem while save the string with quotation mark like 30's Cotton. I want to save this string.

My save query

SqlCommand com = new SqlCommand("insert into Table_Name values('" + textBox57.Text +"')", con);

but i got error. how can i solve this error.
Please reply me as soon as possible.
Thank you

推荐答案

我发现最好使用HTML Encode和Decode。实际上，出于安全原因，在保存大量文本区域时应始终使用HTMLEncode和HTMLDecode来停止XSS脚本和SQL注入。

I find it best to use HTML Encode and Decode. In fact, for security reasons, you should always use HTMLEncode and HTMLDecode when saving large areas of text to stop XSS scripting and SQL Injection.

SqlCommand com = new SqlCommand("insert into Table_Name values('" +  Server.HtmlEncode(textBox57.Text +"')", con));

保存到数据库：

https://msdn.microsoft.com/ en-us / library / w3te6wfz％28v = vs.110％29.aspx



从数据库显示：

https：// msdn.microsoft.com/en-us/library/7c5fyk1k%28v=vs.110%29.aspx

To Save to Database:
https://msdn.microsoft.com/en-us/library/w3te6wfz%28v=vs.110%29.aspx

To Display from Database:
https://msdn.microsoft.com/en-us/library/7c5fyk1k%28v=vs.110%29.aspx

您的代码容易受到 SQL注入。 [ ^ ]

你可以阻止sql注入通过使用存储过程或参数化查询来解决您的问题。



试试这个 -

Your code is vulnerable to SQL Injection.[^]
You can prevent sql injection as well as solve your problem by using either Stored Procedure or Parameterized Query.

Try this-

SqlCommand com = new SqlCommand("insert into Table_Name values(@MyValue)", con);
cmd.Parameters.AddWithValue("@MyValue", textBox57.Text);

查看以下文章了解更多详情 -

使用参数化查询来防止SQL注入攻击在SQL Server中 [ ^ ]



希望，它有帮助：）

Check following article for further details-
Using Parameterized queries to prevent SQL Injection Attacks in SQL Server[^]

Hope, it helps :)

使用SQL参数解决问题

参数可以将你的确切代码发送到sql

就像

Use SQL Parameter to solve the issue
Parameter can send your exact code to sql
like

insert into MyTable values (@id, @name) 

和

And

int id = 1;
string name = "30's Cotton";
SqlCommand command = new SqlCommand(commandString, connection);
command.Parameters.AddWithValue("id", id);
command.Parameters.AddWithValue("name", name);
command.ExecuteNonQuery();

-

Happy Codding

--
Happy Codding

这篇关于如何用引号保存字符串的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！