sql查询中的撇号问题 [英] apostrophe s problem in sql query

问题描述

我有评论文本框。它工作得很完美。当我在数据库表中成功插入的评论数据的文本框中输入文本。但是如果我在文本框中使用's'写评论，它会给我错误。我知道完全是错误，因为's。需要什么编码才能解决这个问题？

i have comment textbox.And it is working perfectly.when i enter text in textbox of comment data inserted sucessfully in database table.But if i use ''s in writing comment in textbox,it will give me error.I know perfectly that it is error because of ''s.what coding is require to solve this problem?

SqlCommand cmd = new SqlCommand("insert into table (name,address,comment) values(''" + txtname.text + "'',''" + txtaddress.text + "'',''"+txtcomment.text+"'')", cnn);

i已经发现这个问题。我必须这样做..

i have found that for this problem.i have to do ..

txt_comment.Text.Replace("''", "''''");

但是这个替换我必须放的代码，我不知道。

but where this replace unction code i have to put ,i don''t know.

推荐答案

你好请不要使用这种类型你必须使用Sql参数

赞...

Hello Please Dont used this type you Must used Sql Parameter
Like...

SqlCommand cmd = new SqlCommand("insert into table (name,address,comment) values(@name,@address,@comment)", cnn);

cmd.Parameters.AddWithValue(@name, txtname.text);
cmd.Parameters.AddWithValue(@address, txtaddress.text);
cmd.Parameters.AddWithValue(@comment, txtcomment.text);
then execute query ..


i Hope ypur problem will solve if not please give me your comment

使用此类型



String cs = WebConfigurationManager.ConnectionStrings [conm]。ConnectionString;

SqlConnection conn = new SqlConnection（cs） ;

conn.Open（）;

SqlCommand cmd = new SqlCommand（）;

cmd.Connection = conn;

cmd.CommandType = CommandType.text;

cmd.CommandText =插入表格（姓名，地址，评论）值（@ name，@ address，@ comment）;



cmd.Parameters.Add（@ name，SqlDbType.VarChar）.Value = txtname.text;

cmd.Parameters.Add（@ address，SqlDbType.VarChar）.Value = txtaddress.text;

cmd.Parameters.Add（@ comment，SqlDbType .VarChar）.Value = txtcomment.text;



cmd.ExecuteNonQuery（）;

conn.Close（）;

use this type

String cs = WebConfigurationManager.ConnectionStrings["conm"].ConnectionString;
SqlConnection conn = new SqlConnection(cs);
conn.Open();
SqlCommand cmd = new SqlCommand();
cmd.Connection = conn;
cmd.CommandType = CommandType.text;
cmd.CommandText = "insert into table (name,address,comment) values(@name,@address,@comment)";

cmd.Parameters.Add("@name", SqlDbType.VarChar).Value = txtname.text ;
cmd.Parameters.Add("@address", SqlDbType.VarChar).Value = txtaddress.text;
cmd.Parameters.Add("@comment", SqlDbType.VarChar).Value = txtcomment.text;

cmd.ExecuteNonQuery();
conn.Close();

非常一般的问题 - 它被称为Sql injuction



解决方案：



1）不要使用连接字符串传递sql查询，总是使用命令参数进行sql查询。因为来自用户的价值可能会破坏您的查询和它很容易破解或破坏你的数据库，你可以搜索关于SQL INJUCTION的更多细节。



2）你可以使用断开连接的架构。





如果你得到它的帮助，请标记为ans&价格也是。

谢谢

Asp.Net/C#.Net帮助 [ ^ ]

Hemant Singh

Hi,

Very general problem - It is called Sql injuction

Solutions :

1)Don''t pass sql query using concatenating string, Always use of command Parameters for your sql query. Because value from users can break your query & it is easily hackable or corrupt your database for more detail you can search about SQL INJUCTION.

2) You can use disconnected architecture.


Please Mark as ans if you get help from it & rate also.
Thanks
Asp.Net/C#.Net Help[^]
Hemant Singh

这篇关于sql查询中的撇号问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！