问题
In c#: I need to create oracle query string like this:
string orQr = @"
SELECT ""Date"", ""Key""
FROM TBL
";
I need to do it dynamicly. But there is a problem with escaping double-double quotes.
How to do that? This is a little mad ;-) and doesn't work:
string quotes = @"""""";
string subSlct = quotes + "Date" + quotes + ", " + quotes + "Key" + quotes;
string orQrB = @"
SELECT " + subSlct + @"
FROM TBL
";
(the result is: SELECT \"\"Date\"\", \"\"Key\"\"\ FROM TBL )
回答1:
Your quotes variable is adding two double quotes, instead of one. Change this:
string quotes = @"""""";
to this:
string quotes = @"""";
Also:
- There's nothing wrong with
string.Format("SELECT \"{0}\", \"{1}\" FROM TBL", a, b); Your code is susceptible to SQL injection.
In general, you'd want to use parameterized queries, but since these don't allow parameterized column names, you'll want to at the very least sanitize the input yourself and check for illegal characters (e.g.,
;,--).
回答2:
Does this work:
string quotes = "\"\"";
回答3:
Don't construct your query by string concatenation. You open yourself to SQL injection attacks. Use parameterized queries and you will also be able to include the quotes more easily.
回答4:
You can just use normal escaping like: string quotes = "\"\"";
来源:https://stackoverflow.com/questions/25015520/double-double-quotes-in-the-string