请教大家一个Sql Server 问题,我做新闻系统时,如果插入新闻内容中含有单引号( '),比如:insert [news]([newsid],[newscontent]) values( '0001 ', ' "+editor.text+ " ') "
editor.text的值中含有单引号 ',此时插入就会出错,请问该怎么办?
下面是我在sqlserver查询分析器中的语句
update [aspnet_Enterpriser] set [Title]= '九鼎德盛 ',[Name]= '九鼎德盛 ',[NewsContent]= ' '九鼎德盛 ' ',[Date]= '2007-4-29 9:34:00 ',[PicUrl]= 'enterpriser/images/200742994054.jpg ',[NewsFrom]= '九鼎德盛 ' where Id= '24 '提示出错,请大家帮忙?
------解决方案--------------------------------------------------------
'替换成两个
------解决方案--------------------------------------------------------
1.editor.text.Replace( " ' ", " ' ' ");
2.where Id= '24 '改成where Id=24
------解决方案--------------------------------------------------------
建议使用参数
------解决方案--------------------------------------------------------
用参数
------解决方案--------------------------------------------------------
就是SqlParameter param=new SqlParameter()
------解决方案--------------------------------------------------------
OracleParameter[] Parms = new OracleParameter[5];
Parms[0] = new OracleParameter( "XXX ", OracleType.Int32);
Parms[0].Value = yyy;
...........
Parms[4] = new OracleParameter( "ZZZ ", OracleType.Int32);
Parms[0].Value = sss;
用参数最好,不容易有漏洞
------解决方案--------------------------------------------------------
使用参数:SqlParameter
这样不但解决了你的问题,而且能防止SQL注入式攻击
------解决方案--------------------------------------------------------
public bool Insert(string userName,string blogContent,string weather,DateTime addTime)//这个是DAL层的
{
SqlParameter[] Parms = {
new SqlParameter( "@WB_UserName ",SqlDbType.VarChar),
new SqlParameter( "@WB_BlogContent ",SqlDbType.NText),
new SqlParameter( "@WB_Weather ",SqlDbType.VarChar),
new SqlParameter( "@WB_AddTime ",SqlDbType.DateTime)
};
Parms[0].Value = userName;
Parms[1].Value = blogContent;
Parms[2].Value = weather;
Parms[3].Value = addTime.Date;
int val = SqlHelper.ExecuteNonQuery( "INSERT INTO WB_Blog(WB_UserName,WB_BlogContent,WB_Weather,WB_AddTime) VALUES(@WB_UserName,@WB_BlogContent,@WB_Weather,@WB_Addtime) ", Parms);
if (val > 0)
{
return true;
}
else
{
return false;
}
}
//下面两个是sqlhelper类里面的
public DataSet Query(string cmdText, params SqlParameter[] commandParameters)
{
using (SqlConnection connection = new SqlConnection(connectionString))
{
DataSet ds = new DataSet();
SqlCommand cmd = new SqlCommand(cmdText, connection);
try
{
connection.Open();
PrepareCommand(cmd, cmdText, commandParameters);
SqlDataAdapter da = new SqlDataAdapter();
da.SelectCommand = cmd;
da.Fill(ds, "ds ");
}
catch (System.Data.SqlClient.SqlException ex)
{