What exactly do you mean by escaping? VB.NET doesn't have 'escaping' in the same way that c-style languages do.

你说的逃跑到底是什么意思？VB.NET 没有像 c 风格语言那样的“转义”。

Now, if you want to ensure that there are no single-qoutes in the pClientId variable, then you have two options:

现在，如果您想确保 pClientId 变量中没有单引号，那么您有两个选择：

Option 1 (not recommended for this scenario): do a simple replace. I.e.

选项 1（不推荐用于这种情况）：做一个简单的替换。IE

pClientId = String.Replace(pClientId, "'","''")

But, as noted, I would NOT do this for what appears to be a SQL Command. What I would do is Option 2: use data parameters to pass parameters to your DB during sql commands

但是，如前所述，我不会对似乎是 SQL 命令的内容执行此操作。我会做的是选项 2：在 sql 命令期间使用数据参数将参数传递给您的数据库

For example:

例如：

Dim cn As New SqlConnection(connectionString)
Dim cmd As New SqlCommand
cn.Open
cmd.Connection=cn
cmd.CommandType=CommandType.StoredProcedure
cmd.CommandText= "sp_Message_insert"
cmd.Parameters.add(New SqlParameter("@clientid", pClientId)
cmd.Parameters.add(New SqlParameter("@message", pMessage)
cmd.Parameters.add(New SqlParameter("@takenby", pUserId)
cmd.Parameters.add(New SqlParameter("@recipients", pRecipients)
cmd.ExecuteNonQuery

If you want to escape the strings then you first have to tell what database you are using. You have to use the correct escaping for the specific database so that you escape all the characters that you need to, but only those.

如果你想转义字符串，那么你首先必须告诉你正在使用什么数据库。您必须对特定数据库使用正确的转义，以便转义所有需要转义的字符，但仅转义这些字符。

I don't know of any database that uses slash as escape character. MySQL uses backslashes, perhaps that is what you mean?

我不知道任何使用斜杠作为转义字符的数据库。MySQL使用反斜杠，也许这就是你的意思？

The best is not to escape the strings at all, but to use a parameterised query. Example:

最好的办法是根本不转义字符串，而是使用参数化查询。例子：

Dim cmd As New SqlCommand("sp_Message_insert")
cmd.Parameters.Add("@clientid").Value = pClientId
cmd.Parameters.Add("@message").Value = pMessage
cmd.Parameters.Add("@takenby").Value = pUserId
cmd.Parameters.Add("@recipients").Value = pRecipients

I think you can just do two apostrophes to create the one. I apologize if that does not work, it has been a while since I have done it that way, I would suggest using SQL Parameters, this will automatically handle your special characters and prevent SQL injection.

我认为你可以只做两个撇号来创建一个。如果这不起作用，我深表歉意，我已经有一段时间没有这样做了，我建议使用 SQL 参数，这将自动处理您的特殊字符并防止 SQL 注入。

Don't build up a string to execute like that.
That's exactly why SQL Injection attacks are possible.

不要建立一个字符串来执行这样的操作。
这正是 SQL 注入攻击可能发生的原因。

Instead use a Data Access Layer, which lets you create parameter objects and associate them with the stored procedure to execute.

而是使用数据访问层，它允许您创建参数对象并将它们与要执行的存储过程相关联。

if you want to execute a String as a query you should use the following code:

如果要将字符串作为查询执行，则应使用以下代码：

Dim query as String 
query.Replace("/", "//")

So would like to add a small notice about parameters names using together with System.Data.Odbc.OdbcCommand, according to http://msdn.microsoft.com/en-us/library/system.data.odbc.odbccommand.commandtype

所以想System.Data.Odbc.OdbcCommand根据http://msdn.microsoft.com/en-us/library/system.data.odbc.odbccommand.commandtype添加一个关于参数名称与 with 一起使用的小通知

The .NET Framework Data Provider for ODBC does not support passing named parameters to an SQL statement or to a stored procedure called by an OdbcCommand. In either of these cases, use the question mark (?) placeholder.

用于 ODBC 的 .NET Framework 数据提供程序不支持将命名参数传递给 SQL 语句或由 OdbcCommand 调用的存储过程。在这两种情况下，请使用问号 (?) 占位符。

an example from here http://msdn.microsoft.com/en-us/library/system.data.odbc.odbcparametercollection(v=vs.80).aspx#Y800:

这里的一个例子http://msdn.microsoft.com/en-us/library/system.data.odbc.odbcparametercollection(v=vs.80).aspx#Y800：

Dim command As OdbcCommand = connection.CreateCommand()
command.CommandText = “{ call MoneyProcedure(?,?,?) ”

command.Parameters.Add("", OdbcType.Int).Value = 1
command.Parameters.Add("", OdbcType.Decimal).Value = 2
command.Parameters.Add("", OdbcType.Decimal).Value = 3