问题描述
我正在寻找必须在 ms sql server 中转义的特殊字符列表,但找不到一个和大多数我看到的类似问题的答案,建议使用参数化查询..我已经在做,但是框架我正在使用对我没有任何逃避.
I was looking for a list of special characters that must be escaped in ms sql server but could not find one and most of answers I saw for the similar questions advised to use Parameterised queries.. which I am already doing but the framework I am using does not does any escaping for me.
因此我想我会尝试一下,看看哪个失败了....然后我尝试了一个简单的查询
Thus I thought I will give a bunch of those a try and see which one fails.... and I tried a simple query
select * from x where value = '<characters>'
在这样的查询中,我尝试了几乎所有我能在键盘上找到的字符,所有这些似乎都有效......除了单引号之外......那个失败了.
in such query I tried almost all the characters I could find on my keyboard and all of them seem to work... besides the Singe Quote.. that one fails.
因此,我想知道在 ms sql server - tsql 中无效且必须转义的字符列表,并且不想冒只转义单引号的风险而留下可能导致麻烦的其余部分
Thus I want to know the list of characters that are invalid and must be escaped in ms sql server - tsql and do not want to take the risk of just escaping the single quote and leave the rest that could cause trouble
感谢您的帮助
推荐答案
字符串中唯一需要转义的字符是单引号(由两个单引号一起完成).否则,它是一个字符串,t-sql 不会再为它大惊小怪了.
The only character that needs escaping in a string is a single quote (which is done with two single quotes together). Otherwise, it's a string and t-sql will fuss with it no further.
如果您使用 LIKE 语句,请参阅此 SO 主题 在 SQL Server 中对字符串进行转义,以便在 LIKE 表达式中安全使用
If you're using a LIKE statement, see this SO topic Escape a string in SQL Server so that it is safe to use in LIKE expression
顺便说一句,任何不允许我使用参数的框架,不能正确地转义我的东西,都是一个硬站.尝试手动清理字符串输入就像依赖拉出方法;最终它会得到你.
As an aside, any framework that doesn't let me use parameters, that doesn't properly escape stuff for me, is a hard stop. Trying to sanitize string input manually is like relying on the pull out method; eventually it's gonna get you.
这篇关于Tsql中必须转义的字符的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!