为什么我们在编写SQL查询之前编写@？ [英] why do we write @ before writing a sql query ?

问题描述

我对在sql squeries中使用@时有一个疑问

虽然我们可以在参数化查询中使用@也是这样的 -





插入EMP（EmpName，Salary）值（@EmpName，@ Salary） - 我认为这里@用于userInput，但我不明白为什么@用于下面的代码???

i have a Doubt in mind about the use of @ in sql squeries
although we can use @ in parametrized query also like this --


insert into EMP (EmpName , Salary) values (@EmpName,@Salary) -- i think here @ is used for userInput ,but i dont get why @ is used in below code ???

string _Insert = @"insert into Details(fName,lName,DOB,City) Values('" + fName_Txt.Text + "','" + lName_Txt.Text + "','" +_Date.ToString() + "','" + City_Txt.Text + "')";

请帮助..谢谢提前

pls help ..thanks in advance

推荐答案

它是一个C＃的东西 - 它意味着字面上解释字符串或''按原样''...也就是说

Its a C# thing - it means interpret the string literally or ''as is'' .. that is to say

String myFilePath1 = @"Drive:\Path\File.Ext";

不会导致错误 - \ P和\ F不会被解释，但是

Won''t cause an error - the "\P" and "\F" are not interpreted, but

String myFilePath2 = "Drive:\Path\File.Ext";

会导致错误，因为\ P和\ F无法识别/有效的转义序列 - 你必须使它成为

WILL cause an error because "\P" and "\F" are not recognised/a valid escape sequence - you have to make it

String myFilePath2 = "Drive:\\Path\\File.Ext";

没有''@' 'sign



''g''

without the ''@'' sign

''g''

@ sign代表SQL服务器中的变量

其范围仅限于使用它的批次。







所以，如果你是传递（@EmpName，@ Salary）到t他是sql，这意味着你是以参数的形式将一些变量传递给SQL。

@ sign stands for a variable in SQL server
Its scope is Limited to the batch in which it is used.



So if you are passing (@EmpName,@Salary) to the the sql, it means you are passing some variables to SQL in the form of parameters.

btw，最后，作为一个好的形式，我会参数化SQL语句并避免像这样构建它 - 你让自己开放''SQL注入'' - google it



短版本是如果某人有意进入''; drop table x cascade''（例如）并且被添加到SQL starement并执行了？



..只是说



''g''

btw, lastly, as a matter of good form, I''d parameterise the SQL statement and avoid building it like this - you leave yourself open to ''SQL Injection'' - google it

the short version is "what if someone deliberatly entered '';drop table x cascade'' (for example) and that was added into the SQL starement and executed ?"

.. just saying

''g''

这篇关于为什么我们在编写SQL查询之前编写@？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！