1. 首页
  2. 问答
  3. sql查询中的字符串concarsation

sql查询中的字符串concarsation

2010-12-07 107 views
0

我对这个字符串连接有困惑 可能有些机构请简要介绍一下这个字符串连接是如何发生的? 我遇到的困惑是,这+, "", '如何两个"字符之间的这种sql查询中的字符串concarsation

int i = Magic.Allper("insert into tbl_notice values ('" + Label1.Text + "','" + companyTxt.Text + "','" + txtBranch.Text + "','" + dateTxt.Text + "' ,'" + reportingTxt.Text + "','" + venueTxt.Text + "','" + eligibilityTxt.Text + "')");

来源

2010-12-07 NoviceToDotNet

+1

如何提问 - http://tinyurl.com/so-hints – Oded 2010-12-07 15:13:22

+0

你得到了什么错误? – hvgotcodes 2010-12-07 15:14:09

+1

http://en.wikipedia.org/wiki/SQL_injection – 2010-12-07 15:15:09

回答

3

任何工作被作为一个字符串在Java中这样"','"产生','。 SQL需要包装在'中的字符串。因此,在进行查询时,"'" + venueTxt.Text + "'"解析为'variable value'

来源

2010-12-07 15:17:46 greenimpala

2

我强烈建议您不要在SQL查询中使用字符串连接。他们挑衅的SQL注入。这会导致安全问题。

What is SQL Injection?

在回答你的问题,这简直拼接采取一切TextBox.Text属性值,并将其连接成insert语句。

我强烈建议你使用使用ADO.NET厉色下面的例子(假设SQL Server)的参数化查询:

using (var connection = new SqlConnection(connString)) 
    using (var command = connection.CreateCommand()) { 
     string sql = "insert into tbl_notice values(@label1, @companyTxt, @txtBranch, @dataTxt, @reportingTxt, @venueTxt, @eligibilityTxt)"; 

     command.CommandText = sql; 
     command.CommandType = CommandType.Text; 

     SqlParameter label1 = command.CreateParameter(); 
     label1.ParameterName = "@label1"; 
     label1.Direction = ParameterDirection.Input; 
     label1.Value = Label1.Text; 

     SqlParameter companyTxt = command.CreateParameter(); 
     companyTxt.ParameterName = "@companyTxt"; 
     companyTxt.Direction = ParameterDirection.Input; 
     companyTxt.Value = companyTxt.Text; 

     // And so forth for each of the parameters enumerated in your sql statement. 

     if (connection.State == ConnectionState.Close) 
      connection.Open(); 

     int rowsAffected = command.ExecuteNonQuery(); 
    }

来源

2010-12-07 15:18:42

1

我会使用String.Format方法为清楚起见

int i = Magic.Allper(string.Format("insert into tbl_notice values ('{0}','{1}','{2}','{3}','{4}','{5}','{6}')", 
    Label1.Text, 
    companyTxt.Text, 
    txtBranch.Text, 
    dateTxt.Text, 
    reportingTxt.Text, 
    venueTxt.Text, 
    eligibilityTxt.Text));

您可能还想创建一个扩展方法,以确保字符串安全地以此方式传递到SQL

public static string ToSqlFormat(this string mask, params string[] args) 
{ 
    List<string> safe = args.ToList(); 
    safe.ForEach(a => a.Replace("'", "''")); 
    return string.Format(mask, safe); 
}

这将让你写

string insert = "insert into tbl_notice values ('{0}','{1}','{2}','{3}','{4}','{5}','{6}')"; 
int i = Magic.Allper(insert.ToSqlFormat( 
    Label1.Text, 
    companyTxt.Text, 
    txtBranch.Text, 
    dateTxt.Text, 
    reportingTxt.Text, 
    venueTxt.Text, 
    eligibilityTxt.Text));

来源

2010-12-07 15:20:06 hunter

2 
("insert into tbl_notice values ('" + Label1.Text + "','" + companyTxt.Text + "','" + txtBranch.Text + "','" + dateTxt.Text + "' ,'" + reportingTxt.Text + "','" + venueTxt.Text + "','" + eligibilityTxt.Text + "')");

假设

  • 的Label1 =你好
  • companyTxt = ABC
  • txtBranch =工程
  • dateTxt = 2011-01-30
  • rep ortingTxt =弗格森
  • venueTxt =蝙蝠洞
  • eligibilityTxt =无

上述数值取代了SQL语句,使它看起来像

("insert into tbl_notice values ('" + Hello + "','" + ABC + "','" + Engineering + "','" + 2010-12-01 + "' ,'" + Fergusson + "','" + Batcave + "','" + No + "')");

的 “+” 操作符连接字符串值,导致

("insert into tbl_notice values ('Hello','ABC','Engineering','2010-12-01' ,'Fergusson','Batcave','No')")

来源

2010-12-07 15:23:07 Sathya

相关问题

 相关问题