我有这行代码:
sql += " AND lc.name IN ('" + String.Join(",", id.type.ToArray()) + "')";
id.type中有两个项目,此代码生成:
AND lc.name IN ('towns back to back,towns 3 storey')
哪个不起作用,因为它应该是这样的:
AND lc.name IN ('towns back to back' , 'towns 3 storey')
我该如何解决这个问题?
答案 0 :(得分:0)
这不是一种理想的方法,因为它对SQL注入开放。但有一些事情:
尝试:
sql += " AND lc.name IN (" + String.Join(",", id.type.ToArray().Select(i=>String.Format(i.Replace("'","''"),"'{0}'")) + ")";
答案 1 :(得分:-1)
使用参数传递输入字符串,如
sql += " AND lc.name IN (@inputname)";
sqlcommand.parameters.AddWithValue("@inputname", String.Join("','", id.type.ToArray()))