防止参数查询逃逸撇号

Question

我试图通过使用带有SqlConnection的参数化查询来避免在我的字符串变量中逃脱撇号，但它不工作。任何帮助，将不胜感激。

更新：这是当前代码...

'Populate Connection Object 
Dim oCnn As New SqlConnection(strConnection) 

'Define our sql query 
Dim sSQL As String = "INSERT INTO [" & foreignTable & "] (data_text) VALUES (@data_text) ; " 

'Populate Command Object 
    Dim oCmd As New SqlCommand(sSQL, oCnn) 

    'Add up the parameter, associated it with its value 

    oCmd.Parameters.AddWithValue("@data_text", data_text) 

    'Opening Connection for our DB operation 
    oCnn.Open() 

    Try 
     Dim results As Integer = oCmd.ExecuteScalar 
    Catch ex As Exception 
     LabelImport.Text &= "<font color=red>ROOT Import ERROR: " & ex.ToString & ", From Database: " & dbName & ", Text String: " & data_text & "</font><br />" 
     Throw 
    End Try 

    oCnn.Close() 
    oCmd.Parameters.Clear() 

感谢您的帮助。

Answer 1

是的，那是不对的。

它应该是这样的：

Dim sSQL As String = "INSERT INTO [" & foreignTable & "] (data_text) VALUES (@data_text);" 

和参数：

oCmd.Parameters.AddWithValue("@data_text", data_text) 

注：我不“想”就可以通过表名作为参数。你将不得不在字符串中有表名。见Parametise table name in .Net/SQL?

另外，更改此：

Dim results As Integer = oCmd.ExecuteScalar 

到

Dim results as Integer = oCmd.ExecuteNonQuery() 

Answer 2

您只能使用表名创建查询时（我的意思是，从部分相连来："INSERT INTO " + foreignTable + " (data_text) VALUES...，据我所知），还不如查询参数。有关SqlCommand参数的更多信息，请查看SqlParameterCollection.AddWithValue on MSDN，这里也有很好的例子。

'Populate Connection Object 
Dim oCnn As New SqlConnection(strConnection) 

'Define our sql query 
Dim sSQL As String = "INSERT INTO " & foreignTable & " (data_text) VALUES (@data_text);" 

'Populate Command Object 
Dim oCmd As New SqlCommand(sSQL, oCnn) 

'Add up the parameter, associated it with its value 
oCmd.Parameters.AddWithValue("@data_text", data_text) 

'Opening Connection for our DB operation 
oCnn.Open() 

编辑：

+改为&因为C＃作为 “母语”。