如何在 ADO.NET 查询中放置双引号? [英] How to put double quotes in ADO.NET query?

问题描述

我试图在我的所有查询中防止任何 SQL 注入，并想知道如何在此查询中放置双引号.谢谢

I am trying to prevent any SQL injection in all my queries and would like to know how to put double quotes in this query. Thanks

string.Format("SELECT TOP 10 article_guid, article_title 
               FROM article 
               WHERE article.article_isdeleted = 0 AND 
                     FREETEXT(article_title, @val)");

推荐答案

第 1 步:不要这样做.改用参数化查询.

Step 1: Don't do this. Use a parameterized query instead.

参数化查询消除了与 SQL 注入攻击相关的大部分风险.

Parameterized queries remove most of the risk associated with SQL injection attacks.

来自链接:

private void CallPreparedCmd() {
    string sConnString = 
        "Server=(local);Database=Northwind;Integrated Security=True;";
    string sSQL = 
        "UPDATE Customers SET City=@sCity WHERE CustomerID=@sCustomerID";
    using (SqlConnection oCn = new SqlConnection(sConnString)) {
        using (SqlCommand oCmd = new SqlCommand(sSQL, oCn)) {
            oCmd.CommandType = CommandType.Text;

            oCmd.Parameters.Add("@sCustomerID", SqlDbType.NChar, 5);
            oCmd.Parameters.Add("@sCity", SqlDbType.NVarChar, 15);

            oCn.Open();
            oCmd.Prepare();

            oCmd.Parameters["@sCustomerID"].Value = "ALFKI";
            oCmd.Parameters["@sCity"].Value = "Berlin2";
            oCmd.ExecuteNonQuery();

            oCmd.Parameters["@sCustomerID"].Value = "CHOPS";
            oCmd.Parameters["@sCity"].Value = "Bern2";
            oCmd.ExecuteNonQuery();

            oCn.Close();
        }
    }
}

话虽如此，您可以通过像这样转义双引号将引号插入到字符串中:

That being said, you can insert quotes into a string by escaping the double quotes like this:

string newstring = " \"I'm Quoted\" ";

这篇关于如何在 ADO.NET 查询中放置双引号?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！