2017-02-20 58 views
2

几个,我的计划是处理创建在读取日志表中的记录中的记录:VB.Net:逃避查询字符串单打引号使用一个变量,单引号

仪器:不正确的语法's'附近。在字符串'))'之后未使用引号。

该代码使用内联查询,该查询将字符串变量的值连接到SELECT和SubQueries中的WHERE子句。

代码:

SQL = "SELECT instrument_id, description, sub_category_of, meta_instrument" _ 
& " FROM instruments " _ 
& " WHERE (instrument_id IN " _ 
& " (SELECT instrument_id " _ 
    & "FROM instruments " _ 
    & "WHERE (description = '" & strn & "'))) " _ 
     & "OR (instrument_id IN " _ 
     & " (SELECT sub_category_of " _ 
     & "  FROM instruments AS instruments_1 " _ 
     & "  WHERE (description = '" & strn & "'))) " _ 
     & "OR (instrument_id IN " _ 
     & " (SELECT meta_instrument " _ 
     & "  FROM instruments AS instruments_1 " _ 
     & "  WHERE (description = '" & strn & "')))" 

是被针对SQL Server执行的实际查询:

SELECT instrument_id, description, sub_category_of, meta_instrument _ 
FROM instrument_ref 
    WHERE (instrument_id IN 
(SELECT instrument_id 
    FROM instruments 
    WHERE (description = 'Women's Choir'))) 
    OR (instrument_id IN 
     (SELECT sub_category_of 
      FROM instruments AS instruments_1 
      WHERE (description = 'Women's Choir'))) 
    OR (instrument_id IN 
     (SELECT meta_instrument 
      FROM instruments AS instruments_1 
      WHERE (description = 'Women's Choir'))) 

我想怎么单引号可以让这个错误可以被处理,以寻求帮助被纠正。我是否在'strn'变量中转义它,还是在内联查询中执行?

非常感谢。

+0

用''替换'' – artm

+5

使用参数来提供您的信息以避免这些问题。 – LarsTech

+2

......这些问题和*许多*其他 – Plutonix

回答

2

至于建议,使用参数:

SQL = "SELECT instrument_id, description, sub_category_of, meta_instrument" _ 
& " FROM instruments " _ 
& " WHERE (instrument_id IN " _ 
& " (SELECT instrument_id " _ 
    & "FROM instruments " _ 
    & "WHERE (description = @description))) " _ 
     & "OR (instrument_id IN " _ 
     & " (SELECT sub_category_of " _ 
     & "  FROM instruments AS instruments_1 " ... etc 

然后,当你构建SqlCommand对象与此SQL,使用命令对象的“.Parameters.AddWithValue()”方法来添加一个名为“@description参数“和适当的价值。

顺便说一句,通过输入“drop table instruments”的描述来防止某人造成严重破坏。

+4

参数很好,但AddWithValue不是。请参阅http://blogs.msmvps.com/jcoehoorn/blog/2014/05/12/can-we-stop-using-addwithvalue-already/ –

+0

谢谢丹......说得很好。 –