C#中执行含单引号字符串的SQL命令
SQL命令:string selectCmd="select * from score where name='"+textBox1.Text+"'";
当在 textBox1中直接输入含单引号的字符串查询会报异常.
原因:SQL会将单引号括住的数据视为字符串,而双引号括住的数据,则被C#.NET视为字符串处理
如:
string selectCmd="select * from score where name='"+"ab'c"+"'";
C#.NET编译完成后成为:
select * from score where name='ab'c'
SQL语法执行时,将ab视为字符串(ab被单引号括住),而c'的数据因为前面少了一个单引号而发生错误.
解决方法:
在SQL语法中将连续两个单引号"''"视为一个单引号,所以可以使用String类的Replace方法将字符串中的一个
单引号换为两个单引号。
如:
string selectCmd="select * from tbname where fieldname='"+textBox1.Text+"'";
改为:
string selectCmd="select * from tbname where fieldname='"+textBox1.Text.Replace("'","''")+"'";
例子:
比较以下语句:
string sql0 = " INSERT INTO tbBattery_InfoD(Battery_Voltagedouble,Battery_Electricaldouble,Battery_Datedtm) VALUES("+ dataGridView1.Rows[iCCC + 1].Cells[2].Value.ToString() + "," + dataGridView1.Rows[iCCC + 1].Cells[5].Value.ToString() + "," + "'" + datetime + "'" + ")";
string sql1 = " INSERT INTO tbBattery_InfoD(Battery_Voltagedouble,Battery_Electricaldouble,Battery_Datedtm) VALUES("+ dataGridView1.Rows[iCCC + 1].Cells[2].Value.ToString() + "','" + dataGridView1.Rows[iCCC + 1].Cells[5].Value.ToString() + "'," + "'" + datetime + "'" + ")";
Battery_Voltagedouble和Battery_Electricaldouble字段设为float,dataGridView1.Rows[iCCC + 1].Cells[5].Value.ToString() 和dataGridView1.Rows[iCCC + 1].Cells[5].Value.ToString()为空时,第一个语句语句出现错误,第二个语句可以执行,插入值为0.