如何将带有(')的字符串插入sql数据库?

时间:2012-06-20 13:00:06

标签: c# sql-server

我的字符串由(')引号组成,如“母亲的爱”......

从c#中通过sql查询插入数据时。它显示错误。如何纠正问题并成功插入此类数据?

string str2 = "Insert into tblDesEmpOthDetails (EmpID, Interviewnotes) values ('" + EmpId + "','" + Interviewnotes + "')";

访谈笔​​记的内容包括“母亲的爱”(单引号)。在执行此查询时,它将错误显示为“字符串后的未闭合引号”)“我如何插入此类型的字符串?

7 个答案:

答案 0 :(得分:22)

我很确定你不使用SQL参数:

using (SqlCommand myCommand = new SqlCommand(
    "INSERT INTO table (text1, text2) VALUES (@text1, @text2)")) {

    myCommand.Parameters.AddWithValue("@text1", "mother's love");
    myCommand.Parameters.AddWithValue("@text2", "father's love");
    //...

    myConnection.Open();
    myCommand.ExecuteNonQuery();
    //...
}

答案 1 :(得分:14)

使用命名参数和SqlParameter。

来自http://www.dotnetperls.com/sqlparameter 

class Program
{
    static void Main()
    {
        string dogName = "Fido";  // The name we are trying to match.

        // Use preset string for connection and open it.
        string connectionString = 
            ConsoleApplication1.Properties.Settings.Default.ConnectionString;

        using (SqlConnection connection = new SqlConnection(connectionString))
        {
            connection.Open();

            // Description of SQL command:
            // 1. It selects all cells from rows matching the name.
            // 2. It uses LIKE operator because Name is a Text field.
            // 3. @Name must be added as a new SqlParameter.
            using (SqlCommand command = 
               new SqlCommand("SELECT * FROM Dogs1 WHERE Name LIKE @Name", connection))
            {
                // Add new SqlParameter to the command.
                command.Parameters.Add(new SqlParameter("Name", dogName));

                // Read in the SELECT results.
                SqlDataReader reader = command.ExecuteReader();
                while (reader.Read())
                {
                    int weight = reader.GetInt32(0);
                    string name = reader.GetString(1);
                    string breed = reader.GetString(2);
                    Console.WriteLine("Weight = {0}, Name = {1}, Breed = {2}", weight, name, breed);
                }
            }
        }
    }
}

答案 2 :(得分:6)

虽然,你可以用两个'字符('')替换字符串中的所有'字符,但这不是一个好主意。由于此问题以及许多其他原因(例如避免SQL注入攻击),您肯定应该使用命名参数,而不是通过将它们直接连接到字符串中来将值添加到insert语句中。例如:

command.CommandText = "Insert into tblDesEmpOthDetails (EmpID, Interviewnotes) values (@EmpId, @Interviewnotes)";
command.Parameters.AddWithValue("EmpId", EmpId);
command.Parameters.AddWithValue("Interviewnotes", Interviewnotes);

答案 3 :(得分:2)

将此行添加到您尝试输入的字符串

说你的字符串是

string test = "that's not working correctly"
test = replace(Request.QueryString(test), "'", "''")

然后测试

"that''s not working correctly"

在语法上对SQL

是正确的

此致

答案 4 :(得分:2)

作为答案的变体(非常正确地)指向参数:如果这看起来很多,那么使用dapper等工具避免

int empId = 123;
string notes = "abc";
connection.Execute(@"insert into tblDesEmpOthDetails (EmpID, Interviewnotes)
                     values (@empId, @notes)", new {empId, notes});

Dapper将自动获取empIdnotes(来自匿名对象)并将它们添加为命名/类型参数。类似的Query / Query<T>扩展方法还允许将对象模型进行简单且高度优化的查询

答案 5 :(得分:0)

你需要使用双''

INSERT INTO something (Name) VALUES ('O''something''s')

这将插入O'something。 我读到的另一个例子是:

让我们假设我们有一个字符串:

SQL = "SELECT * FROM name WHERE LastName='" & LastName & "' "

如果我们的名字像O'Brian,O'Reily等,我们就像

一样 
SELECT * FROM name WHERE LastName='O'Brien'

第二个'将结束SQL语句。所以这里最简单的解决方案是使用double''然后我们会有这样的字符串:

SELECT * FROM name WHERE LastName='O''Brien'

答案 6 :(得分:0)

That's simple. You use backslash: "\". For example:

"mother's love" should be inserted as "mother\'s love".

I've done it countless times with my own website.

相关问题
最新问题