在动态构造Sql语句时,有时候参数里面可能说出现 ‘、 “ 、 \,特殊字符,直接执行就会出现问题。
如:
var str = "Hell World! ’Hi‘";var sql = "Insert Into Table1(name)values(N'{str}')";//最终生成结果就是Insert Into Table1(name)values(N'Hell World! ’Hi‘')
public sealed class MySqlHelper
{
[Obsolete("Use MySqlConnection.ClearAllPools or MySqlConnection.ClearAllPoolsAsync")]
public static void ClearConnectionPools() => MySqlConnection.ClearAllPools();
/// <summary>
/// Escapes single and double quotes, and backslashes in <paramref name="value"/>.
/// 在值中转义单引号和双引号以及反斜杠
/// </summary>
public static string EscapeString(string value)
{
if (value is null)
throw new ArgumentNullException(nameof(value));
StringBuilder? sb = null;
int last = -1;
for (int i = 0; i < value.Length; i++)
{
if (value[i] == '\'' || value[i] == '\"' || value[i] == '\\')
{
sb ??= new StringBuilder();
sb.Append(value, last + 1, i - (last + 1));
sb.Append('\\');
sb.Append(value[i]);
last = i;
}
}
sb?.Append(value, last + 1, value.Length - (last + 1));
return sb?.ToString() ?? value;
}
}
