将值插入到包含括号/大括号的Access数据库中 [英] Insert values into an Access Database that contain brackets/braces

问题描述

我正在使用taglib-sharp和OleDb，尝试对音乐文件的文件夹建立索引并将来自这些文件的所有元数据存储在Access数据库中(我可能会改用SQL Compact或以后的版本，但是我拥有这本书使用Access).下面的代码应检索前1000个文件的元数据并将其存储在给定的文件夹和子文件夹中

Using taglib-sharp and OleDb, I'm attempting to index a folder of music files and store all the metadata from said files in an Access Database (I'll probably switch to SQL Compact or something later but the book I have uses Access). The below code should retrieve and store the metadata of the first 1000 files in a given folder and subfolders

OleDbCommand cmd = con.CreateCommand();
DirSearch(@"C:\Users\Stephen\Music");
TagLib.File tagFil;

for (int i = 0; i < 1000; i++)
        {
            tagFil = TagLib.File.Create(filesFound[i]);
            string album = tagFil.Tag.Album;
            string artist = tagFil.Tag.FirstPerformer;
            string title = tagFil.Tag.Title;

            if (album == null)
                album = "Unknown Album";
            if (artist == null)
                artist = "Unknown Artist";
            if (title == null)
                title = "Unknown Track";
            cmd.CommandText = "INSERT INTO Track (Title,Artist,Album,Path) VALUES ('" + title + "','" + artist + "','" + album + "','" + filesFound[i] + "')";
            cmd.ExecuteNonQuery();
        }

但是，当其中一个标签的标题中带有方括号时，就会出现此问题.我可以看到为什么这会引起问题，但是却看不到如何解决/避免它.我尝试过字符串文字等，但看不到它们如何工作(它们不是:/).还有更好的主意吗?

The problem, however, occurs when one of the tags has a bracket in the title. I can see why this would cause a problem but not how to solve/avoid it. I have tried string literals etc but couldn't see how they would work (they don't :/). Any better ideas?

推荐答案

您应该使用参数化查询来完成此操作.

You should use parameterized queries to accomplish this .

未经测试的代码:

cmd.CommandText = "INSERT INTO Track (Title,Artist,Album,Path) VALUES (?, ?, ?, ?)";
cmd.Parameters.Add(title);
cmd.Parameters.Add(artist);
cmd.Parameters.Add(album);
cmd.Parameters.Add(filesFound[i]);

链接:
http://msdn.microsoft.com/en -us/library/system.data.oledb.oledbcommand.parameters.aspx

您的代码已经可以进行SQL注入了...

Your code, as is, is ripe for SQL injections...

这篇关于将值插入到包含括号/大括号的Access数据库中的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！