发表新帖
发表新帖

vb.net escape reserved keywords in sql statement

后端 未结
关注
2 1413
猫巷女王i
猫巷女王i 2020-12-22 08:12

I\'m trying to execute an sql statement in vb.net to an Access database, I am escaping the reserverd word using square brackets []. This has worked in all my SELECT

相关标签:
2条回答
  • 太阳男子
    2020-12-22 08:16

    You're not enclosing your values in quotation marks. Try this:

    datalayer.getDataTable(String.Format(
 "INSERT INTO users (username, password, [level]) VALUES ('{0}', '{1}', '{2}')", 
 username, password, level))

    However, as Andrew says, you should really use parameters. In Access SQL (David W Fenton will come along shortly and say it's "Jet" SQL) you have to use positional parameters. Your statement would then look like this:

    INSERT INTO users (username, password, [level]) VALUES (?, ?, ?)

    You'd need to create OleDbParameter objects with the correct values, and an OleDbCommand with the text above to execute in order to do your insert.

    0 讨论(0)
  • 被撕碎了的回忆
    2020-12-22 08:27

    Always use parameters. What you're doing is very dangerous and leaves the door open to SQL injection.

    Then you won't have to worry about escaping the values you're inserting into the database.

    0 讨论(0)
 看不清?
提交回复
热议问题