C# 将字符串变量中的转义字符转换为 SQL 查询的字符串文字
C# Convert Escape Characters inside string variable into string literal for SQL query
我正在尝试将 C# 中包含转义字符(如“\r\n”)的字符串变量转换为字符串文字,以便它可以在 SQL 查询中使用。
// Here is the value of the string which IS NOT actually a verbatim string literal, but a value passed on from a selected dropdown list.
strEmailText = "We're writing in regard to XXX mentioned above.\r\nPlease contact us.\r\nWe're available by direct reply.\r\nThank you for your assistance."
// Here I create the actual SQL string for use to query the database
strSQL = @"SELECT DISTINCT TBL_EmailText.ID FROM TBL_EmailText WHERE (TBL_EmailText.Text = N'" + strEmailText + "')";
现在,每当我尝试使用此 SQL 字符串进行搜索时,它都会转换转义字符并弄乱查询,如下所示:
@"SELECT DISTINCT TBL_EmailText.ID FROM TBL_EmailText WHERE (TBL_EmailText.Text = N'We''re writing in regard to XXX mentioned above.
Please contact us.
We''re available by direct reply.
Thank you for your assistance.')"
所以我的问题是,我怎样才能让它工作,以便它使用以下内容进行搜索:
@"SELECT DISTINCT TBL_EmailText.ID FROM TBL_EmailText WHERE (TBL_EmailText.Text = N'We''re writing in regard to XXX mentioned above.\r\nPlease contact us.\r\nWe''re available by direct reply.\r\nThank you for your assistance.')"
我已经找到并尝试使用此代码,但它不起作用:
protected internal static StringWriter ToLiteral(string strString)
{
using (StringWriter strWriter = new StringWriter())
{
using (CodeDomProvider cdpProvider = CodeDomProvider.CreateProvider("CSharp"))
{
cdpProvider.GenerateCodeFromExpression(new CodePrimitiveExpression(strString), strWriter, null);
return strWriter.ToString();
}
}
}
它仍然转换转义字符。
如有任何帮助,我们将不胜感激。提前致谢!
使用字符串文字:
strEmailText = @"We're writing in regard to XXX mentioned above.\r\nPlease contact us.\r\nWe're available by direct reply.\r\nThank you for your assistance."
此外,在您的 sql 中使用参数以确保它被正确插入,并防止 sql 注入。
你不应该生成 SQL 带有嵌入文字字符串的句子,这就是 query parameters 的目的。
您的问题不是转义字符引起的。这些只对 C# 重要。当字符串连接到您的 sql 查询时,它们将只是一个常规的回车 return 和换行符。
真正的问题是首先使用字符串连接引起的!您的数据中有一个撇号,一旦连接起来就会弄乱最终查询。
相反,使用参数化查询,这不会成为问题,您也将避免 sql 注入漏洞!
// Here is the value of the string which IS NOT actually a verbatim string literal, but a value passed on from a selected dropdown list.
strEmailText = "We're writing in regard to XXX mentioned above.\r\nPlease contact us.\r\nWe're available by direct reply.\r\nThank you for your assistance."
// Here I create the actual SQL string for use to query the database
strSQL = @"SELECT DISTINCT TBL_EmailText.ID FROM TBL_EmailText WHERE TBL_EmailText.Text = @EmailText";
using (var sqlCmd = new SqlCommand(strSQL, conn))
{
sqlCmd.CommandType = CommandType.Text;
sqlCmd.Parameters.Add(new SqlParameter { ParameterName = "@EmailText", SqlDbType = SqlDbType.NVarChar, Value = strEmailText });
using(SqlDataReader rdr = sqlCmd.ExecuteReader())
{
//Do something with the data
}
}
注意参数 @EmailText 在 sql 查询中的使用,以及它是如何添加到 sqlCmd 对象的 Parameters 集合中的。
这种方法将消除查询中的撇号问题,更重要的是,sql 注入漏洞。
我正在尝试将 C# 中包含转义字符(如“\r\n”)的字符串变量转换为字符串文字,以便它可以在 SQL 查询中使用。
// Here is the value of the string which IS NOT actually a verbatim string literal, but a value passed on from a selected dropdown list.
strEmailText = "We're writing in regard to XXX mentioned above.\r\nPlease contact us.\r\nWe're available by direct reply.\r\nThank you for your assistance."
// Here I create the actual SQL string for use to query the database
strSQL = @"SELECT DISTINCT TBL_EmailText.ID FROM TBL_EmailText WHERE (TBL_EmailText.Text = N'" + strEmailText + "')";
现在,每当我尝试使用此 SQL 字符串进行搜索时,它都会转换转义字符并弄乱查询,如下所示:
@"SELECT DISTINCT TBL_EmailText.ID FROM TBL_EmailText WHERE (TBL_EmailText.Text = N'We''re writing in regard to XXX mentioned above.
Please contact us.
We''re available by direct reply.
Thank you for your assistance.')"
所以我的问题是,我怎样才能让它工作,以便它使用以下内容进行搜索:
@"SELECT DISTINCT TBL_EmailText.ID FROM TBL_EmailText WHERE (TBL_EmailText.Text = N'We''re writing in regard to XXX mentioned above.\r\nPlease contact us.\r\nWe''re available by direct reply.\r\nThank you for your assistance.')"
我已经找到并尝试使用此代码,但它不起作用:
protected internal static StringWriter ToLiteral(string strString)
{
using (StringWriter strWriter = new StringWriter())
{
using (CodeDomProvider cdpProvider = CodeDomProvider.CreateProvider("CSharp"))
{
cdpProvider.GenerateCodeFromExpression(new CodePrimitiveExpression(strString), strWriter, null);
return strWriter.ToString();
}
}
}
它仍然转换转义字符。
如有任何帮助,我们将不胜感激。提前致谢!
使用字符串文字:
strEmailText = @"We're writing in regard to XXX mentioned above.\r\nPlease contact us.\r\nWe're available by direct reply.\r\nThank you for your assistance."
此外,在您的 sql 中使用参数以确保它被正确插入,并防止 sql 注入。
你不应该生成 SQL 带有嵌入文字字符串的句子,这就是 query parameters 的目的。
您的问题不是转义字符引起的。这些只对 C# 重要。当字符串连接到您的 sql 查询时,它们将只是一个常规的回车 return 和换行符。
真正的问题是首先使用字符串连接引起的!您的数据中有一个撇号,一旦连接起来就会弄乱最终查询。
相反,使用参数化查询,这不会成为问题,您也将避免 sql 注入漏洞!
// Here is the value of the string which IS NOT actually a verbatim string literal, but a value passed on from a selected dropdown list.
strEmailText = "We're writing in regard to XXX mentioned above.\r\nPlease contact us.\r\nWe're available by direct reply.\r\nThank you for your assistance."
// Here I create the actual SQL string for use to query the database
strSQL = @"SELECT DISTINCT TBL_EmailText.ID FROM TBL_EmailText WHERE TBL_EmailText.Text = @EmailText";
using (var sqlCmd = new SqlCommand(strSQL, conn))
{
sqlCmd.CommandType = CommandType.Text;
sqlCmd.Parameters.Add(new SqlParameter { ParameterName = "@EmailText", SqlDbType = SqlDbType.NVarChar, Value = strEmailText });
using(SqlDataReader rdr = sqlCmd.ExecuteReader())
{
//Do something with the data
}
}
注意参数 @EmailText 在 sql 查询中的使用,以及它是如何添加到 sqlCmd 对象的 Parameters 集合中的。
这种方法将消除查询中的撇号问题,更重要的是,sql 注入漏洞。