C# 在将字符串插入数据库期间单引号转义
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/11912412/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
single quotes escape during string insertion into a database
提问by lunchbox
Insertion fails when "'" is used. example string is: He's is a boy. I've attempted to skip the "'" using an escape symbol , but I believe this is not the right way.
使用“'”时插入失败。示例字符串是:He's is a boy。我试图使用转义符跳过“'”,但我相信这不是正确的方法。
textBox3.Text.Replace("'", " \'");
string sql= "insert into gtable (1text,1memo) values ('"+textBox3.Text+"',null)";
OleDbCommand cmd = new OleDbCommand(sql, con);
con.Open();
cmd.ExecuteNonQuery();
con.Close();
I did have the option of replacing "'" with "`" but this changes the text in the db as well. I wish to retain "'" as the same , and also insert it into the db.
我确实可以选择用“`”替换“'”,但这也会改变数据库中的文本。我希望将 "'" 保留为相同,并将其插入到数据库中。
采纳答案by juergen d
try
尝试
string sql= "insert into gtable (1text, 1memo) " +
"values ('" + textBox3.Text.Replace("'", "''") + "', null)";
回答by Nikhil Agrawal
To insert single quotes in database replace 'with ''. In database only single quote will go.
要在数据库中插入单引号,请替换'为''. 在数据库中只有单引号会去。
Use this
用这个
string sql= "insert into gtable (1text,1memo) values ('"
+ textBox3.Text.Replace("'", "''") + "', null)";
Rest code is same.
其余代码相同。
回答by codingbiz
Try this
尝试这个
string sql= "insert into gtable (1text,1memo) values (@col1,NULL)";
OleDbCommand cmd = new OleDbCommand(sql, con);
cmd.Parameters.AddWithValue("@col1",textBox3.Text);
con.Open();
回答by Joshua Shearer
On the MSDN article for String.Replaceit says:
在String.Replace的 MSDN 文章中,它说:
Returns a new stringin which all occurrences of a specified Unicode character or String in the current string are replaced with another specified Unicode character or String.
返回一个新字符串,其中当前字符串中所有出现的指定 Unicode 字符或字符串都被另一个指定的 Unicode 字符或字符串替换。
On the very first line you are not assigning the value of textBox3.Text to the result of that method call, meaning that absolutely nothing happens.
在第一行,您没有将 textBox3.Text 的值分配给该方法调用的结果,这意味着绝对不会发生任何事情。
Furthermore, to escape a quote in SQL Server, you simply use two single-quotes (Note: NOT the same thing as a double-quote).
此外,要在 SQL Server 中转义引号,您只需使用两个单引号(注意:与双引号不同)。
This should give you the expected outcome:
这应该给你预期的结果:
textBox3.Text = textBox3.Text.Replace("'", "''");
Additionally, you may wish to look into String.Formatfor your string concatenation needs.
此外,您可能希望查看String.Format以满足您的字符串连接需求。
String escapedInput = textBox3.Text.Replace("'", "''");
String sql = String.Format("insert into gtable (1text,1memo) values ('{0}',null)", escapedInput);
回答by Aki
The best way is:
最好的办法是:
string Name = Server.HtmlEncode(txtName.Text);
