如何在文本框中使用带有文本和specil字符的特殊字符? [英] how to allow special characters in a textbox with text and specil characters?
问题描述
我有一个文本框..当我输入一些带有特殊字符的文本时,它会给出错误...例如。ari的@re in the...它在sql语法中给出了错误(因为iam显示使用SQLConnection的网格视图中的文本)
bool result = false;
DataSet LocalDS = TSDS;
OdbcConnection ConObj = null;
OdbcCommand CmdObj = null;
try
{
ConObj = new OdbcConnection(ConnString);
ConObj.Open();
if(LocalDS.Tables [0] .Rows.Count!= 0)
{
DateTime dt;
字符串日期;
foreach(TSDS.Tables中的DataRow dr [0] .Rows)
{
dt = Convert.ToDateTime(dr [Date]);
date = dt.Year + - + dt.Month + - + dt.Day;
CmdObj = new OdbcCommand(insert into Record_table(Emp_name,Dates,Hours,Task,Client,project,Comments,TeamMemberType)+
values('+ Emp_name +','+ date +',+ dr [4] +,'+ dr [2] +','+ dr [0] +','+ dr [1] +','+ dr [6] +','+ dr [5] +'),ConObj);
CmdObj.ExecuteNonQuery();
result = true;
}
}
else {result = false; }
}
//注释部分在其文本中有特殊字符..这就是问题
< blockquote>如果你用c#编写一个SQL语句,你最有可能编写内联SQL
,例如:
string SQL = SELECT * FROM TableA WHERE字段a like' + input + '
这意味着输入中打破引号的任何内容都会产生语法错误。
出于这个目的,ADO.Net和参数允许您否定转义输入值的问题。
IDbCommand cmd = new connection.CreateCommand();
cmd.CommandText = string SQL = SELECT * FROM TableA WHERE Field a like @输入 ;
IDbDataParameter param = cmd.CreateParameter();
param.ParameterName = @ input;
param.DbType = DbTypes。 String ;
cmd.Parameters.Add(param);
IDataReader reader = cmd.ExecuteReader();
使用此方法让ADO管理添加你的通过参数输入将解决您的问题。
此外,使用内联SQL会产生很大的安全风险。考虑以下输入。
'; GO; DELETE FROM TableA; GO;
使用内联SQL插入的这样的语句可能会造成损害。这种类型的攻击称为 SQL注入攻击
SQL注入 [ ^ ]
尝试使用参数化查询,它从 SQL_injection中保存数据库 [ ^ ]
CmdObj = new OdbcCommand( 插入Record_table(Emp_name,日期,小时,任务,客户,项目,评论,TeamMemberType) +
值(@ Emp_name,@ Dates,@ Hours,@ Task,@ Client,@ project,@ Comments,@TeamMemberType,ConObj)
C. mdObj.Parameters.AddWithValue( @ Emp_name,Emp_name);
CmdObj.Parameters.AddWithValue( @ Dates,date);
CmdObj.Parameters.AddWithValue( @ Hours,dr [ 4 ]);
CmdObj.Parameters.AddWithValue( @ Task,dr [ 2 ]);
CmdObj.Parameters.AddWithValue( @ Client,dr [ 0 ]);
CmdObj.Parameters.AddWithValue( @ project,dr [ 1 ]);
CmdObj.Parameters.AddWithValue( @ Comments,dr [ 6 ]);
CmdObj.Parameters.AddWithValue( @ TeamMemberType,dr [ 5 ]);
i have a textbox..when iam entering some text with special characters it is giving error...for example., "ari's @re in the'"...it is giving error in sql syntax(since iam displaying that text in a grid view using SQLConnection)
bool result = false;
DataSet LocalDS = TSDS;
OdbcConnection ConObj = null;
OdbcCommand CmdObj = null;
try
{
ConObj = new OdbcConnection(ConnString);
ConObj.Open();
if (LocalDS.Tables[0].Rows.Count != 0)
{
DateTime dt;
string date;
foreach (DataRow dr in TSDS.Tables[0].Rows)
{
dt = Convert.ToDateTime(dr["Date"]);
date = dt.Year + "-" + dt.Month + "-" + dt.Day;
CmdObj = new OdbcCommand("insert into Record_table(Emp_name, Dates, Hours, Task , Client , project, Comments, TeamMemberType)" +
"values('" + Emp_name + "', '" + date + "'," + dr[4] + ",'" + dr[2] + "' ,'" + dr[0] + "' ,'" + dr[1] + "','" + dr[6] + "','" + dr[5] + "')", ConObj);
CmdObj.ExecuteNonQuery();
result = true;
}
}
else { result = false; }
}
// the comments part is having special characters in its text..that is giving problemYou're most likely writing in-line SQL
if you write an SQL statement in c# such as:
string SQL = "SELECT * FROM TableA WHERE Field a like '" + input + "'"
It means anything in the input which breaks to quotes is going to create a syntax error.
For this very purpose ADO.Net and parameters allow you to negate the problem of escaping your input values.
IDbCommand cmd = new connection.CreateCommand(); cmd.CommandText = "string SQL = "SELECT * FROM TableA WHERE Field a like @input""; IDbDataParameter param = cmd.CreateParameter(); param.ParameterName = "@input"; param.DbType = DbTypes.String; cmd.Parameters.Add(param); IDataReader reader = cmd.ExecuteReader();
Using this approach where you let ADO manage adding your input through parameters will resolve you problems.
Also, using in-line SQL creates a large security risk. Consider the following input.
';GO;DELETE FROM TableA;GO;
A statement like this inserted using in-line SQL has the potential to do damage. This type of attack is called anSQL Injection Attack
SQL Injection[^]
Try using Parameterized query , it saves the DB from SQL_injection[^]
CmdObj = new OdbcCommand("insert into Record_table(Emp_name, Dates, Hours, Task , Client , project, Comments, TeamMemberType)" + "values( @Emp_name,@Dates, @Hours, @Task , @Client , @project, @Comments, @TeamMemberType", ConObj) CmdObj.Parameters.AddWithValue("@Emp_name", Emp_name); CmdObj.Parameters.AddWithValue("@Dates", date); CmdObj.Parameters.AddWithValue("@Hours", dr[4]); CmdObj.Parameters.AddWithValue("@Task", dr[2]); CmdObj.Parameters.AddWithValue("@Client", dr[0]); CmdObj.Parameters.AddWithValue("@project", dr[1]); CmdObj.Parameters.AddWithValue("@Comments", dr[6]); CmdObj.Parameters.AddWithValue("@TeamMemberType", dr[5]);
这篇关于如何在文本框中使用带有文本和specil字符的特殊字符?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
