Escape double quotes in SQL 2005/2008

后端未结

关注

 8  1998

I have an international company that has recently been added, which is named \"BLA \"BLAHBLAH\" Ltd. (The double quotes are part of the name. )

Whenever a user tries

相关标签:

8条回答

耶瑟儿～

2020-12-21 01:08

should be something like

string sqlCommand = "SELECT c.companyID, c.companyName, c.dateAdded, count(cm.maxID) as NumDirect FROM RussoundGeneral.dbo.Company c LEFT JOIN RussoundGeneral.dbo.CompanyMax cm ON (cm.companyId = c.companyId and cm.maxID is not null ) WHERE CONTAINS ( companyName,  '@strVal' ) group by c.companyID, c.companyName, c.dateAdded ORDER BY c.companyName ASC"
SqlCommand command = new SqlCommand(strSQLCommand, conn); 
SqlCommand.Parameters.AddWithValue("@strval", SearchTextBox.Text);

0 讨论(0)

花落未央

2020-12-21 01:09
I strongly suspect you're building the SQL dynamically - e.g.
```
// Bad code, do not use!
string sql = "SELECT * FROM Foo WHERE X LIKE '" + input + "%'";
```
That's a really, really bad idea for many reasons - most notably SQL injection attacks. Use parameterised SQL statements instead, where you specify the parameters separately.

Look at various answers to questions with the sql-injection tag for examples of how to do this properly.
0 讨论(0)
发布评论:

提交评论
- 加载中...

上一页 1 2