开发者

replace method mechanism

开发者 https://www.devze.com 2023-01-29 17:01 出处:网络
i face the following problem:: i wanna to escape the following character \' single quote: it works when making this test through :the built in method Replace(\"\'\",\"\'\'\");

i face the following problem::

i wanna to escape the following character ' single quote:

it works when making this test through :the built in method Replace("'","''");

as this code below :(just a test) it works

protected void btn_insert_Click(object sender, EventArgs e)
{
            lbl.Text = string.Empty;
            SqlConnection mycon = new SqlConnection(Constr);`

            SqlCommand mycommand = new SqlCommand("INSERT INTO details VALUES('" + txt.Text.Replace("'", "''") + "','" + txt.Text.Replace("'", "''")+ "')", mycon);

            mycon.Open();
            int affectedRows = 0;

            affectedRows = mycommand.ExecuteNonQuery();
            mycon.Close();
        }

but i wanna to generalize my solution to work all over the application through my Insert method in the data access layer:

public static int InsertEntity(string tblName, Dictionary<string, string> dtParams)
        {
            int Result = -1;
            DBConnection DAL_Helper = new DBConnection("");
            string[] field_names = new string[dtParams.Count];
            dtParams.Keys.CopyTo(field_names, 0);
            string[] field_values = new string[dtParams.Count];
            dtParams.Values.CopyTo(field_values, 0);
            for (int i = 0; i < field_values.Length; i++)
            {
                field_value开发者_开发知识库s[i].Replace("'", "''");
            }
            string insertCmd = "INSERT INTO " + tblName + " (" + string.Join(",", field_names) + ") values ('" + string.Join("','", field_values) + "')";

            Result = DAL_Helper.Execute_NonQuery(insertCmd);
            return Result;
        }

this not escaping the ' single quote charecter,although i use Replace("'","''");

what is the problem ,,how to fix this problem?


I strongly recommend you use Command Parameters using SqlCommand.Parameters collection instead of your approach.

Problem is here :

        for (int i = 0; i < field_values.Length; i++)
        {
            field_values[i].Replace("'", "''");
        }

Replace it with :

        for (int i = 0; i < field_values.Length; i++)
        {
            field_values[i] = field_values[i].Replace("'", "''");
        }


Building on decyclone's answer. CommandParameters are the way to go here, you are just re-inventing it with your own code.

I have found a very nice clear example here for supplying params to a SQL statement.

http://dotnetperls.com/sqlparameter

        using (SqlCommand command = new SqlCommand("SELECT * FROM Dogs1 WHERE Name LIKE @Name", connection))
        {
            string dogName = "Mc'Dougal";
            //
            // Add new SqlParameter to the command.
            //
            command.Parameters.Add(new SqlParameter("Name", dogName));
            //
            // Read in the SELECT results.
            //
            SqlDataReader reader = command.ExecuteReader();
        }
0

精彩评论

暂无评论...
验证码 换一张
取 消