如何将单引号添加到字符串 [英] how to add single quotes to a string
本文介绍了如何将单引号添加到字符串的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我正在尝试进行sql查询,我想添加单引号进行查询但不起作用:(
i am trying to make sql query and i want to add single quotes to query but it don't work :(
string quarry = "Select * from essayT where (EsId=EsId) ";
if (TextBox1.Text != "")
{
string strReplace = TextBox1.Text.Replace(' ', '%');
quarry = quarry + "And ( EsTittleF like N'%" + strReplace + "%')";
}
此考试我试着得到这个查询
从essayT中选择*其中(EsId = EsId)和(EsTittlef喜欢'%textbox1.text%')
i不能将单引号插入字符串
plz help tnx guys:)
in this example i try to get this query
Select * from essayT where (EsId=EsId) And (EsTittlef like '%textbox1.text%' )
i cant insert single quotes to string
plz help tnx guys:)
推荐答案
Don'尝试这样做:不要连接字符串来构建SQL命令。它让您对意外或故意的SQL注入攻击持开放态度,这可能会破坏您的整个数据库。请改用参数化查询。
Don't try to do it like that: Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
string strSelect = @"SELECT * FROM essayT WHERE EsTittleF LIKE '%' + @SS + '%'";
using (SqlCommand cmd = new SqlCommand(strSelect, con))
{
cmd.Parameters.AddWithValue("@SS", Textbox1.Text);
请参阅以下代码
see the following code
string strReplace = TextBox1.Text.Replace("'", "%");
尝试更改以下行
Try changing below line
quarry = quarry + "And ( EsTittleF like N%'" + strReplace + "%')";
这个
with this
quarry = quarry + "And ( EsTittleF like N'%" + strReplace + "%')";
这篇关于如何将单引号添加到字符串的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
