如何将'字符包含在类似查询中 [英] how to include ' character in like query
本文介绍了如何将'字符包含在类似查询中的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
i有一个查询在mssql中使用类似的keywork进行搜索但是当我输入像wendy这样的名字时它会终止查询并抛出错误。我没有使用过sqlparam所以也无法从那里处理。请提供一些帮助。
查询看起来像这样
strSQLWhere.AppendFormat(AND a.name LIKE'%{0}%',txtname.Text.Trim());
请尽快帮助。谢谢
解决方案
难以找到答案吗?它很容易帮助: http://bit.ly/x5qYJi [ ^ ]。 :-)
你的问题更为笼统:你不应该使用字符串连接硬编码任何可以改变你的查询的东西。其中一个主要问题是众所周知的漏洞,称为 SQL注入。
要了解它是什么,请看这里: http://xkcd.com/327 [ ^ ]。
这是一些更详细的解释: http://en.wikipedia.org/wiki/SQL_injection [ ^ ]。
请查看我过去的答案:
在com.ExecuteNonQuery()中重新启动; [ ^ ],
HTTP://msdn.microso ft.com/en-us/library/ff648339.aspx [ ^ ],
你的名字没有显示名称? [ ^ ]。
-SA
不要。
引号标记不仅会给你一个问题,而且会使你的代码对SQL注入攻击敞开大门,这可能会破坏或破坏你的数据库。改为使用参数化查询。
使用(SqlConnection con = new SqlConnection(strConnect))
{
con.Open();
使用(SqlCommand com = new SqlCommand( SELECT * FROM myTable WHERE [name] LIKE'%'+ @NM +'%',con))
{
com.Parameters.AddWithValue( @ NM,textname.Text.Trim());
使用(SqlDataReader reader = com.ExecuteReader())
{
while (reader.Read())
{
...
}
}
}
}
阅读以下内容: http://technet.microsoft.com/en-us/library/aa224033%28v=sql.80%29.aspx [ ^ ]
hello frens, i need some help
i have a query to search using like keywork in mssql but when i type name like wendy's it terminates the query and throws error. i have not used sqlparam so cannot handle from there also. please suggest some help.
the query looks like this
strSQLWhere.AppendFormat(" AND a.name LIKE '%{0}%'", txtname.Text.Trim());
please help asap. thanks
解决方案
Was it so difficult to find out? It's easy to help: http://bit.ly/x5qYJi[^]. :-)
Your problem is more general: you should neither hard-code anything which can change no compose your queries using string concatenation. One of the major problem is the well-known exploit called SQL injection.
To understand what is that, just look here: http://xkcd.com/327[^].
This is some more detailed explanation: http://en.wikipedia.org/wiki/SQL_injection[^].
Please see my past answers:
EROR IN UPATE in com.ExecuteNonQuery();[^],
http://msdn.microsoft.com/en-us/library/ff648339.aspx[^],
hi name is not displaying in name?[^].
—SA
Don't.
Not only will quote marks give you a problem, but it leaves your code wide open to an SQL Injection attack which can damage or destroy your database. Use a parameterized query instead.
using (SqlConnection con = new SqlConnection(strConnect)) { con.Open(); using (SqlCommand com = new SqlCommand("SELECT * FROM myTable WHERE [name] LIKE '%' + @NM + '%'", con)) { com.Parameters.AddWithValue("@NM", textname.Text.Trim()); using (SqlDataReader reader = com.ExecuteReader()) { while (reader.Read()) { ... } } } }
Read the following : http://technet.microsoft.com/en-us/library/aa224033%28v=sql.80%29.aspx[^]
这篇关于如何将'字符包含在类似查询中的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文