SQL escape with sqlite in C#

后端未结

关注

 2  1323

I have a text field and its breaking my sql statement. How do i escape all the chars in that field? I am using sqlite with http://sqlite.phxsoftware.com/ in C#

相关标签:

2条回答

隐瞒了意图╮

2021-01-01 23:50

You should be using a parameter as in:

SQLiteCommand cmd = _connection.CreateCommand();
cmd.CommandType = CommandType.Text;
cmd.CommandText = "SELECT * FROM MyTable WHERE MyColumn = @parameter";
cmd.Parameters.Add( new SQLiteParameter( "@parameter", textfield ) );
SQLiteDataReader reader = cmd.ExecuteReader();

Using a parametrised SQL will escape all input values and help protect you from SQL injection attacks.

0 讨论(0)

醉话见心

2021-01-01 23:55
You can also replace all single quote delimiters with doubt single quotes (not ").
```
sql = sql.Replace("'","''");
```
0 讨论(0)
发布评论:

提交评论
- 加载中...