将括号或引号保存到vb.net中的sql中

Question

我的vb项目有一个保存命令。问题是它不会用＆＃34;来保存文本。 ＆＃39; ＆＃34;或括号。我认为它与sql命令有关..这里是我保存和更新的代码

保存

  Dim myAdapter As New MySqlDataAdapter
            Dim myDatatable As New DataTable
            Dim command As New MySqlCommand
            Dim add As String

            add = "INSERT INTO tracker.recordtracker (Action_Taken,Marginal_Note,Remarks,Type_of_Document,Referred_Date,Items,Received_From,Received_Date,Referred_To,recdate,refdate)values('" + acttaken.Text + "','" + margnote.Text + "','" + remarks.Text + "','" + doctype.Text + "','" + rfrldatelbl.Text + "','" + itemtbx.Text + "','" + rfromtbx.Text + "','" + rcvdate.Text + "','" + reftotbx.Text + "' ,'" + rdate.Text + "',@refdate)"
            command = New MySqlCommand(add, connection)
            refdate.CustomFormat = "yyyy-MM-dd"


            myAdapter.SelectCommand = command
            myAdapter.Fill(myDatatable)
            MsgBox("Data has been successfully added.")
            clearfield()
            loaddatabase()

            connection.Close()
            connection.Dispose()
        Catch ex As Exception
            MsgBox(ex.Message)
        End Try

更新

Try
                connection.Open()
                rcvdate.Text = rdate.Text
                If refdate.Checked = False Then
                    rfrldatelbl.Text = "____-__-__"
                Else
                    refdate.CustomFormat = "yyyy-MM-dd"
                    rfrldatelbl.Text = refdate.Text + " " + TimeOfDay
                End If

                Dim query As String
                query = "update tracker.recordtracker set Action_Taken='" & acttaken.Text & "', Marginal_Note='" & margnote.Text & "', Remarks='" & remarks.Text & "',Type_of_Document='" & doctype.Text & "', Items = '" & itemtbx.Text & "', Referred_To='" & reftotbx.Text & "', Referred_Date='" & rfrldatelbl.Text & "',recdate='" & rdate.Text & "',refdate='" & refdate.Text & "' where id = '" & ID.Text & "'"

                utos = New MySqlCommand(query, connection)
                reader = utos.ExecuteReader

                MsgBox("Data has been changed.")
                connection.Close()
                loaddatabase()

                connection.Close()
                connection.Dispose()
            Catch ex As Exception
                MsgBox(ex.Message)
            End Try

Answer 1

您已附加到形成SQL查询的字符串。您需要阅读SQL injection以了解为什么这是一个糟糕的主意。但基本上它允许任何有权访问您的字符串的人提交这些值，控制您的数据库。您可能希望执行以下操作：

Dim sql As String = "INSERT INTO foo (baz) VALUES (@Baz)"

Using cn As New SqlConnection("Your connection string here"), _
    cmd As New SqlCommand(sql, cn)

    cmd.Parameters.Add("@Baz", SqlDbType.VarChar, 50).Value = Baz
    cmd.ExecuteNonQuery()

解决您的问题。

Answer 2

来自MySQL reference

  

字符串是一个字节或字符序列，包含在其中   单引号（“'”）或双引号（“”“）

所以'是保留字符 如果要在字符串的内容中使用它，则需要使用转义序列\'。

但正如@Matt Fellows在回答中提到的，在数据​​库中保存字符串值的更好做法将是SqlParameters
使用SqlParameter，您不需要使用转义序列，字符串将保持原样（基于列的类型）

Dim param As New SqlParameter With {.ParameterName="@text",
                                    .SqlDbType = SqlDbType.VarChar,
                                    .Value = "Your 'Name' in quotes"}