如何构建SQLite查询来处理包含撇号的字符串

Question

如果字符串company包含撇号,则会导致错误.

示例:公司名称,如"William's store".

如何构建一个SQLite查询,使用SQLite-Net api处理这类问题.

I am using SQLite-Net api and I tried both and they did not work.

In SQLite-Net api, I think there is no Parameters. What other alternative that I can use?


private async void GetCustomerVATGroup(string Company)
{


1) 

string strChkName = Company.Replace("'", "''"); // or Company.Replace("'","\'");

var allUsers = await db.QueryAsync<Customer>(

"Select * From Customer Where CompanyName ='" + strChkName + "'");


2) 

var allUsers = await db.QueryAsync<Customer>(

"Select * From Customer Where CompanyName =''" + Company + "''");


}

Answer 1

从SqlLite文档:

通过将字符串括在单引号(')中形成字符串常量.字符串中的单引号可以通过在行中放入两个单引号来编码 - 如Pascal中所示.不支持使用反斜杠字符的C样式转义,因为它们不是标准SQL.BLOB文字是包含十六进制数据的字符串文字,前面是单个"x"或"X"字符....文字值也可以是令牌"NULL".

因此,您可以使用字符串替换来转义它,但查询数据库的最佳方法是避免字符串连接以避免Sql注入.

最佳实践是使用参数化查询

在sqllite-net中,它们作为参数传递给方法:

var allUsers = await db.QueryAsync<Customer>("Select * From Customer Where CompanyName ='?'", Company);