问题
I have a text field and its breaking my sql statement. How do i escape all the chars in that field? I am using sqlite with http://sqlite.phxsoftware.com/ in C#
回答1:
You should be using a parameter as in:
SQLiteCommand cmd = _connection.CreateCommand();
cmd.CommandType = CommandType.Text;
cmd.CommandText = "SELECT * FROM MyTable WHERE MyColumn = @parameter";
cmd.Parameters.Add( new SQLiteParameter( "@parameter", textfield ) );
SQLiteDataReader reader = cmd.ExecuteReader();
Using a parametrised SQL will escape all input values and help protect you from SQL injection attacks.
回答2:
You can also replace all single quote delimiters with doubt single quotes (not ").
sql = sql.Replace("'","''");
来源:https://stackoverflow.com/questions/633245/sql-escape-with-sqlite-in-c-sharp