How to pass a C# variable with apostrophe through MySql

流过昼夜 提交于 2019-12-14 03:28:38

问题


I'm having a problem inputting variables into my database. I've seen other posts on how to pass a variable through by just escaping it, but those solutions do not apply because I am getting my variable's through an API. I'm cycling though data with a foreach loop by the way.

level = "" + x.Account_Level + "";
name = "" + x.name + "";
command.CommandText = "INSERT INTO `data` (`level`, `name`) VALUES(" + level + ", " + name + ")";
command.ExecuteNonQuery();  

Sometimes, a variable will come back with an apostrophe and will screw up the code. Is it possible to insert a slash before every apostrophe or is there a way like in PHP to just push the whole variable through with single quotes? Thanks!

Edit: Would this work? I think I need to add the i to change the name of the parameter each loop, due to it claiming the parameter as already declared.

using (var web = new WebClient())
        {
        web.Encoding = System.Text.Encoding.UTF8;
        var jsonString = responseFromServer;
        var jss = new JavaScriptSerializer();
        var MatchesList = jss.Deserialize<List<Matches>>(jsonString);
        string connectString = "Server=myServer;Database=myDB;Uid=myUser;Pwd=myPass;";
        MySqlConnection connect = new MySqlConnection(connectString);
        MySqlCommand command = connect.CreateCommand();
        int i = 1;


        connect.Open();
        foreach (Matches x in MatchesList)
        {

            command.CommandText = "INSERT INTO `data` (`level`, `name`) VALUES(?level" + i + ", ?name" + i + ")";

             command.Parameters.AddWithValue("level" + i, x.Account_Level);
             command.Parameters.AddWithValue("mode" + i, x.name);

            command.ExecuteNonQuery();
            i++;
        }
        connect.Close();                    
    }

回答1:


The quick and dirty fix is to use something like:

level = level.Replace("'","whatever");

but there are still problems with that. It won't catch other bad characters and it probably won't even work for edge cases on the apostrophe.

The best solution is to not construct queries that way. Instead, learn how to use parameterised queries so that SQL injection attacks are impossible, and the parameters work no matter what you put in them (within reason, of course).

For example (off the top of my head so may need some debugging):

MySqlCommand cmd = new MySqlCommand(
    "insert into data (level, name) values (?lvl, ?nm)", con);
cmd.Parameters.Add(new MySqlParameter("lvl", level));
cmd.Parameters.Add(new MySqlParameter("nm", name)); 
cmd.ExecuteNonQuery();


来源:https://stackoverflow.com/questions/25541370/how-to-pass-a-c-sharp-variable-with-apostrophe-through-mysql

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!