c# - 是否需要在使用 String.Format() 的 DML 语句中显式指定单引号？

Question

我想重构一些这样的代码：

dSQL = "INSERT INTO inventory ( id, pksize, Description, supplier_id, UnitCost, UnitList," +
      " Qty, UPC, dept, subdept, upc_pack_size, supplier_item, bqu_id)" +
      " VALUES" + "('" + id +"'" + ", " + 
      pksize + ",'" + desc +"'" + 
      ",'" + supplierID +"'" + ", " + cost + ", " 
      + list + ", " + qty + 
      ",'" + UPC +"'" + ", " + dept + ", " + 
      subdept + ", " + UPCpkSize + 
      ",'" + supplierItem +"','" + redemption + "')";

...对此：

dSQL = string.Format(
      "INSERT INTO inventory ( id, pksize, Description, supplier_id, UnitCost, UnitList," +
      " Qty, UPC, dept, subdept, upc_pack_size, supplier_item, bqu_id)" +
      " VALUES {0}, {1}, {2}, {3}, {4}, {5}, {6}, {7}, {8}, {9}, {10}, {11}, {12}",
      id, pksize, desc, supplierID, cost, list, qty, UPC, dept, subdept, UPCpkSize, supplierItem, redemption);

这种方法是否足够，还是必须将格式值括在单引号中？

更新

我刚刚注意到我添加了关于此代码的“回归时间”的评论：

// This works as a string.Format() assignment without param "?"s or single quotes because dSQL is not executed, it is simply passed to DBCommand for conditional display (if there is an exception)

score 2 · Accepted Answer

我建议使用参数。

这个...

让您摆脱是否使用单引号的问题。
保护您免受 SQL 注入攻击等。

看看这篇文章，例如：第 6 课：向命令添加参数这将向您描述如何做到这一点。

使用参数化查询是一个三步过程：

Construct the SqlCommand command string with parameters.
Declare a SqlParameter object, assigning values as appropriate.
Assign the SqlParameter object to the SqlCommand object's Parameters property.

在您的情况下，您的代码可能如下所示。

步骤1：

SqlCommand cmd = new SqlCommand(
                 "INSERT INTO inventory ( id, pksize, Description, supplier_id, UnitCost, UnitList, Qty, UPC, dept, subdept, upc_pack_size, supplier_item, bqu_id) " +
                 "VALUES" + "(@id, @pksize, [ ... AND YOU OTHER PARAMETERS ... ])";", conn);

第2步：

对所有参数重复此操作。

SqlParameter paramId  = new SqlParameter();
    paramId.ParameterName = "@id";
    paramId.Value         = 12345;

第 3 步：

对所有参数重复此操作。

cmd.Parameters.Add(paramId);

score 1 · Accepted Answer

如果所有值都是数字类型，例如int, decimal,bigint等，则无需将它们括在单引号中。这段代码有效（我刚刚测试过）

dSQL = string.Format(
  "INSERT INTO inventory ( id, pksize, Description, supplier_id, UnitCost, UnitList," +
  " Qty, UPC, dept, subdept, upc_pack_size, supplier_item, bqu_id)" +
  " VALUES ({0}, {1}, {2}, {3}, {4}, {5}, {6}, {7}, {8}, {9}, {10}, {11}, {12})",
  id, pksize, desc, supplierID, cost, list, qty, UPC, dept, subdept, UPCpkSize, supplierItem,    
redemption);

您缺少代码中的开始和结束大括号。

score 1 · Accepted Answer

如果它们是文本（char，nvarchar，varchar，nchar），则需要添加单引号，例如数字不需要。测试它:)

不过我建议你使用 sql 参数:)

c# - 是否需要在使用 String.Format() 的 DML 语句中显式指定单引号？

更新

3 回答 3

Related

Reference