How to escape a string in system.data.sqlite?

怎甘沉沦 提交于 2019-12-06 05:13:31

You should use parameterized queries:

var command = new SQLiteCommand("SELECT something FROM tabletop WHERE color = @Color", Connection);
command.Parameters.AddWithValue("Color", color);

You can also pass an array of SQLiteParameters into the command.Parameters collection like so:

SQLiteParameter[] parameters = { new SQLiteParameter("Color", color), new SQLiteParameter("Size", size) }; // etc.
command.Parameters.AddRange(parameters);

You do it with prepared statements:

SQLiteCommand sql = SQLiteDB.CreateCommand();
sql.CommandText = @"INSERT INTO aziende VALUES (@id_azienda, @nome)";

SQLiteParameter lookupValue = new SQLiteParameter("@id_azienda");
SQLiteParameter lookupValue2 = new SQLiteParameter("@nome");

sql.Parameters.Add(lookupValue);
sql.Parameters.Add(lookupValue2);

lookupValue.Value = "Your unsafe user input goes here";
lookupValue2.Value = "Your second unsafe user input goes here";

sql.ExecuteNonQuery();
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!