SQL转义符问题 [英] SQL Escape Charecter Problem

问题描述

我正在开发一个需要执行查询的项目.

我的查询就是这样

I''m Developing a project where I need to execute a query.

My query is like this

select * from SalesDetails where ItemCode in(" + items + ") and  dealer in(" + dealers + ")"

我正在使用ADO.NET(C#)编写此查询.
这里的"Items"和"Dealers"是C#的变量，包含字符串值.

我的问题是，如果字符串正常，则没有问题.但是，当字符串中包含{，[，-，@，〜等符号时，查询将不会执行.


我的问题是如何在使用执行时转义所有这些字符.

我不想一个接一个地替换字符.我需要一些在C#中用作@符号的字符，用于转义字符串中的所有字符.

I''m writing this query using ADO.NET(C#).
Here ''Items'' and ''Dealers'' are variables of C#, containing string value.

My problem is if the string is normal then no Issue. But when the string contains symbols like { , [ , - , @ , ~ then the query is not executing.


My Question is how to escape all these characters at the time of using executing.

I don''t want to replace characters one by another. I need something that will work as @ symbol in C# for escaping all the characters in the string.

推荐答案

^ ]

强烈建议使用图例中建议的参数

Few link which helps you escape regular special characters[^]

It is highly recommended to use Parameters as advised by the legends

更重要的是要防止类似

Even more important would be guarding from something like

") Drop table SalesDetails --"

您将要考虑使用参数.请参见 http://msdn.microsoft.com/en-us/library/yy6y35y8.aspx [ ^ ].当您要处理的字符串中包含特殊字符时，这也将有所帮助.

布伦特

You will want to consider using parameters. See http://msdn.microsoft.com/en-us/library/yy6y35y8.aspx[^]. This will also help out when you have special characters in your strings as you are wanting to deal with.

Brent

dbrenth的建议是正确的.我想添加比字符输入更重要的警告方式:无法使用参数化语句使应用程序非常不安全.

使用由一些数据组成的查询字符串，您可以从例如用户输入中获取一些字符串；它可以是任何东西；例如... SQL代码.这样，您的应用程序容易受到称为 SQL Injection 的著名利用的攻击.请参阅:
http://en.wikipedia.org/wiki/SQL_injection [System.Text.StringBuilder和string.Format摆脱了此问题.

—SA

The advice by dbrenth is correct. I would like to add the warning way more important than character input: failure to use parametrized statements make the application very unsafe.

With the query string composed of some data, you can get some strings from, say, user input; and it can be anything; for example… SQL code. This way, your application is vulnerable to a well-known exploit called SQL Injection. Please see:
http://en.wikipedia.org/wiki/SQL_injection[^].

Read about the importance of parametrized statements. Except for safety, they are important for performance and consistence as they are types, in contrast to strings.

By the way, you also should not use repeated string concatenation (''+'') for performance reasons; because strings are immutable; System.Text.StringBuilder and string.Format are free from this problem.

—SA

这篇关于SQL转义符问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！