相关疑难解决方法(0)

只看:

(来源:https://xkcd.com/327/)

这个SQL做了什么:

Robert'); DROP TABLE STUDENTS; --

我知道这两个'并且--是用于评论,但是这个词也没有DROP被评论,因为它是同一行的一部分？

我有下面的代码:

query = "insert into tblB2B_OrderStatusTopStillInRB (LSRNbr, ShipName, Units, DroppedInRB, EPT, Status, OnTimeStatus, ShipVia, DroppedInRB_Order, RealEPT) ";
query += "values ('"
                    + ListOrdStatusTopInRB[i].LSRNbr + "','"
                    + ListOrdStatusTopInRB[i].ShipName + "',"
                    + ListOrdStatusTopInRB[i].Units + ",'"
                    + ListOrdStatusTopInRB[i].DroppedInRB + "','"
                    + ListOrdStatusTopInRB[i].EPT + "','"
                    + ListOrdStatusTopInRB[i].Status + "','"
                    + ListOrdStatusTopInRB[i].OnTimeStatus + "','"
                    + ListOrdStatusTopInRB[i].ShipVia + "','"
                    + ListOrdStatusTopInRB[i].DroppedInRB_Order + "','"
                    + ListOrdStatusTopInRB[i].RealEPT + "')";

cmd.CommandText = query;
cmd.ExecuteNonQuery();

我刚刚意识到,当ShipName一个带有单引号的值时,会在insert语句中导致错误,例如:int'l Transp.

有没有办法解决这个问题,而不从字符串中删除单引号？

我尝试使用以下但没有工作:

cmd.CommandText = @query
+ @ListOrdStatusTopInRB[i].ShipName + "',"

有任何想法吗？