use*_*986 0 sql vb.net sql-server
我试图在vb.net中使用sql查询插入数据,如下所示.name = corp int'l poc = 1
当我尝试插入时,我收到一个错误("字符串后的未闭合引号").当我尝试插入只有1个单引号的名称时会发生这种情况.
因此,我添加了一个替换函数,用2个单引号替换1个单引号以逃避符号.没有错误但是当我查看我的数据库时,添加了2个单引号而不是1.
谁能告诉我如何通过参数化查询来逃避单引号?谢谢!
Public Function InsertData(ds As DataSet) As Boolean
Dim cmd As New SqlCommand
Dim cmd1 As New SqlCommand
Dim status As Boolean
Dim name As String
Dim poc As String
Dim id_p As New SqlParameter("id", SqlDbType.VarChar)
Dim name_p As New SqlParameter("name", SqlDbType.VarChar)
cmd.Parameters.Add(id_p)
cmd.Parameters.Add(name_p)
For i = 0 To ds.Tables(0).Rows.Count - 1
If checkExists(ds.Tables(0).Rows(i)(1).ToString(), ds.Tables(0).Rows(i)(2).ToString(), ds.Tables(0).Rows(i)(3).ToString()) = True Then
name = ds.Tables(0).Rows(i)(1).ToString()
poc = ds.Tables(0).Rows(i)(2).ToString()
If name.Contains("'") Then
name = name.Replace("'", "''")
End If
If poc.Contains("'") Then
poc = poc.Replace("'", "'")
End If
name_p.SqlValue = name
id_p.SqlValue = poc
cmd.CommandText = "INSERT INTO Code (Name,ID)" _
& " VALUES (@name,@id)"
status = ExecuteNonQuerybySQLCommand(cmd)
End If
Next
Return status
End Function
Dim strcon As String = "Data Source=x.x.x.x,1433;Network Library=DBMSSOCN;Initial Catalog=code_DB;User ID=xxx;Password=xxx;"
Public Function ExecuteNonQuerybySQLCommand(ByVal cmd As SqlCommand) As Boolean
Dim sqlcon As New SqlConnection
Dim i As Integer = 0
sqlcon.ConnectionString = strcon
cmd.Connection = sqlcon
Try
sqlcon.Open()
i = cmd.ExecuteNonQuery()
sqlcon.Close()
If i > 0 Then
Return True
Else
Return False
End If
Catch ex As Exception
Console.Write(ex)
Return False
End Try
End Function
作为参数传递的值(即SqlParameter对象)不需要转义.这是因为客户端API使用RPC调用来执行查询,查询本身和参数分别传递.通过RPC调用,实际参数值将通过TDS协议以本机(二进制)格式发送到SQL Server,而不是嵌入在语句中.这可以缓解SQL注入问题并提供其他好处,例如强类型和改进的性能.