-1

我尝试将路径名插入 mysql 数据库,但它的工作但很奇怪。我发现路径不是我的项目目录的路径,它有点奇怪。当我使用我的程序时,结果是“ D:musicFOREIGN!!New folderarat cakepHilary Duff - Wake Up.mp3 ”。当我从 phpmyadmin 手动插入查询时,其结果“ D:\music\FOREIGN!!\New folder\barat cakep\Hilary Duff - Wake Up.mp3 ”,没什么奇怪的。我做错了什么吗?这是我的代码:

public static void add_song(song input)
    {
        establised();
        try
        {
            MySqlCommand command = connection.CreateCommand();
            command.CommandText = string.Format("INSERT INTO song (ID_SONG, ID_GENRE, ID_CATEGORY, SONG_TITLE, SONG_ARTIST, SONG_LOCATION, SONG_PLAYED) select '', b.id_genre, c.id_category, '{0}', '{1}', '{2}', '0' from genre b, category c where b.genre = '{3}' and c.category = '{4}' ", input.title, input.artist, input.location, input.genre, input.category);
            command.ExecuteNonQuery();
        }
        catch (Exception e) { }
        release();
    }

这是我的示例查询:

"INSERT INTO song (ID_SONG, ID_GENRE, ID_CATEGORY, SONG_TITLE, SONG_ARTIST, SONG_LOCATION, SONG_PLAYED) select '', b.id_genre, c.id_category, 'Wake Up', 'Hilary Duff', 'D:\\music\\FOREIGN!!\\New folder\\barat cakep\\Hilary Duff - Wake Up.mp3', '0' from genre b, category c where b.genre = 'Pop' and c.category = 'international'"
4

2 回答 2

3

使用 MysqlParameter 对象将参数传递给查询,因此会自动检查:

// 1. Use parameters label in the query
command.CommandText = "INSERT INTO song (ID_SONG, ID_GENRE, ID_CATEGORY, SONG_TITLE, SONG_ARTIST, SONG_LOCATION, SONG_PLAYED) select '', b.id_genre, c.id_category, @Title, @Artist, @Location, '0' from genre b, category c where b.genre = @GenRe and c.category = @category "

// 2. Define parameters used in command object
    MySqlParameter param  = new MySqlParameter();
    param.ParameterName = "@Location";
    param.Value         = input.location;

//3. Assign the parameter to the command
command.Parameters.Add(param);

//GO ahead with others parameters ...
于 2011-11-13T09:06:20.300 回答
0

您只需要转义查询字符串中存在的任何文本变量。

需要转义的两个字符是撇号 (') 和斜杠 (\)。

创建一个简单的“FixSQL”函数

Public Shared Function FixSQL(item As String) As String
    Dim result As String

    result = item
    result = Replace(result, "\", "\\")
    result = Replace(result, "'", "''")
    return result
End Function

仅将函数应用于 sql 查询中的变量

于 2013-03-27T22:13:57.393 回答