由网友(ㄨ給硪︻馶煙)分享简介：我想找到在.NET框架中的函数来调用SQL-Server的转义真正发送到SQL Server，为的 mysql的实时​​转义字符串（）调用MySQL的库做PHP。请提出，我可以调用它的方法，它通过一个往返数据库返回转义字符串，没有必要FO执行它的查询有吗？i want to find a function in...

我想找到在.NET框架中的函数来调用SQL-Server的转义真正发送到SQL Server，为的 mysql的实时​​转义字符串（）调用MySQL的库做PHP。 请提出，我可以调用它的方法，它通过一个往返数据库返回转义字符串，没有必要FO执行它的查询 有吗？

i want to find a function in .NET framework to calls SQL-Server's library for escaping really a value for sending to sql server, as mysql-real-escape-string() calls MySQL's library to do in PHP. please propose a method that i can call it and it return escaped string via one round-trip to database, no need fo executing It's query Is there it?

推荐答案

你为什么要这么做？发送用户输入到数据库中的正确方法是不是逃避它，但使用的查询参数的。

Why do you want to do that? The correct way to send user input to the database is not to escape it, but to use query parameters.

using(var command = new SqlCommand("insert into MyTable(X, Y) values(@x, @y)", connection))
{
    command.Parameters.Add("@x", textBoxX.Text);
    command.Parameters.Add("@y", textBoxY.Text);
    command.ExecuteNonQuery();
}

此提供了更好的性能，因为查询文本总是相同的，所以查询执行计划可以被缓存。这也可以让你免受SQL注入攻击。而且它也可以让你忽略的数据格式问题（如日期时间的格式设置SQL服务器？你应该如何重新present一些在SQL？等等）

This provides better performance, because the query text is always the same so the query execution plan can be cached. This also protects you against SQL injection attacks. And it also allows you to ignore data formatting issues (e.g. how is a DateTime formatted in SQL-Server? How should you represent a number in SQL? and so on)