如何在没有错误的情况下将撇号包含到文本框中?

时间:2016-09-22 21:00:40

标签: c# html sql asp.net gridview

我有一个gridview,显示文本框或下拉过滤器的结果。它工作正常,除非用户在搜索中使用撇号。例如,“Tommy's Company”将显示一条错误消息,内容为“表达式包含无效的字符串常量:'”。我已经好几天了,我无法理解。无论如何,我可以将撇号包含在文本框中并仍然得到没有错误消息的结果吗?

这是HTML部分:

        <asp:SqlDataSource ID="NewBiddersDBsource" runat="server" ConnectionString="<%$ ConnectionStrings:BiddersDBconnection %>" 
            SelectCommand="SELECT_DefaultContractors" SelectCommandType="StoredProcedure" FilterExpression="{0} LIKE '%{1}%'"> 
            <SelectParameters>
                <asp:ControlParameter ControlID="SearchBox" DefaultValue="%" Name="Name" PropertyName="Text" Type="String" />
                <asp:ControlParameter ControlID="SearchBox" DefaultValue="%" Name="City" PropertyName="Text" Type="String" />
                <asp:ControlParameter ControlID="DDLStatus" DefaultValue="%" Name="Status" PropertyName="Text" Type="String" />
                <asp:ControlParameter ControlID="WorkList" DefaultValue="%" Name="WorkID" PropertyName="Text" Type="String" />
            </SelectParameters>
            <FilterParameters>
                <asp:ControlParameter ControlID="searchList" Name="SearchCategory" PropertyName="SelectedValue" />
                <asp:ControlParameter ControlID="SearchBox" Name="SearchField" PropertyName="Text" />
                <asp:ControlParameter ControlID="WorkList" Name="WorkID" PropertyName="SelectedValue" />
            </FilterParameters>
        </asp:SqlDataSource>

                                                                                                                             “target =”_ blank“&gt;选择                                                                                                                                                                                                                                                                                                                                                                                                    

这是C#部分:

string connectionString = ConfigurationManager.ConnectionStrings [“BiddersDBConnection”]。ConnectionString;             SqlConnection conn = new SqlConnection(connectionString); 

        SqlCommand cmd = new SqlCommand();
        cmd.Connection = conn;

        cmd.CommandType = CommandType.StoredProcedure;

        string nameSearch = SearchBox.Text.Replace("'","''");
        cmd.CommandText = ("SELECT_AllBidders");
        cmd.Parameters.Add("@Name", SqlDbType.VarChar, 200).Value = nameSearch;

        conn.Open();
        cmd.ExecuteNonQuery();

这是来自SQL部分:

CREATE PROCEDURE [dbo].[SELECT_DefaultContractors]
@Name varchar, @City varchar, @Status varchar, @WorkID varchar(50)
AS
BEGIN

SET NOCOUNT ON;


SELECT DISTINCT
    Bidders.Id, Bidders.Name, Bidders.Address, Bidders.City, Bidders.State,
    Bidders.Zip, Bidders.Phone, Bidders.Fax, Bidders.Email, Bidders.Status,
    Bidders.Denied, MWBE_Types.Code AS MWBE
FROM 
    PW_Contractors.dbo.Bidders LEFT JOIN PW_Contractors.dbo.Preqs ON 
    PW_Contractors.dbo.Bidders.Id = PW_Contractors.dbo.Preqs.BidderID
    LEFT JOIN PW_Contractors.dbo.MWBE_Types ON PW_Contractors.dbo.Bidders.MWBE =
    PW_Contractors.dbo.MWBE_Types.MWBEID
WHERE 
    Name LIKE '%' + @Name + '%' OR
    City LIKE '%' + @City + '%' AND Status LIKE '%' + @Status + '%' AND
    WorkID LIKE @WorkID  OR WorkID IS NULL ORDER BY Name ASC;
END

3 个答案:

答案 0 :(得分:0)

我相信你必须逃避角色才能有效尝试这样的事情:

s = s.Replace("'", @"\'");

更具体地说:

single quotes escape during string insertion into a database

也许会让你朝着正确的方向前进。

答案 1 :(得分:0)

我相信您遇到的问题是FilterExpression属性。我不认为它允许单引号。

以下是我测试过的示例代码。

<asp:GridView ID="gvtest" runat="server" AutoGenerateColumns="true" DataSourceID="NewBiddersDBsource"></asp:GridView>
<asp:SqlDataSource 
    ID="NewBiddersDBsource" 
    runat="server" 
    ConnectionString="<%$ ConnectionStrings:MRP %>" 
    SelectCommand="SELECT Name FROM dbo.tmptest WHERE Name LIKE '%' + @Name + '%'">
        <SelectParameters>
            <asp:ControlParameter ControlID="DropDownList1" Name="Name" PropertyName="Text" Type="String" DefaultValue="%"  />
        </SelectParameters>
        <FilterParameters>
            <asp:ControlParameter ControlID="DropDownList1" Name="Name" PropertyName="SelectedValue" />
        </FilterParameters>
</asp:SqlDataSource>
<asp:DropDownList
    id="DropDownList1"
    runat="server"
    AutoPostBack="True">
    <asp:ListItem Selected="True">test</asp:ListItem>
    <asp:ListItem>test1'</asp:ListItem>
    <asp:ListItem>aserewa</asp:ListItem>
</asp:DropDownList>

答案 2 :(得分:0)

在C#和SQL Server 2019中进行替换的正确语法是如此...

来自:

string nameSearch = SearchBox.Text.Replace("'","''");

a:

string nameSearch = SearchBox.Text.Replace("'",@"''");

但是正确使用的方法不是替换撇号,而是使用此方法(请参见下面的代码),这是必须输入数据和选择数据时要使用的方法。

示例: 在表格中插入数据

 string Query = "insert into Pizza ( NomeC ) values (@NomeC)";  
 SqlCommand createCommand = new SqlCommand(Query, loginConn);
 createCommand.Parameters.AddWithValue("@NomeC", Nome_txt.Text);
 createCommand.ExecuteNonQuery();
 ...

读取表中数据的示例

 string Query = "select * from Pizza where NomeC= @NomeC";
 SqlCommand createCommand = new SqlCommand(Query, loginConn);
 createCommand.Parameters.AddWithValue("@NomeC", Nome_txt.Text);
 SqlDataReader dr = createCommand.ExecuteReader();
 ...

这是在C#和sql服务器中插入撇号的正确方法

相关问题
最新问题