如何在sql server的動態查詢中使用「'」？

Question

我存儲了搜索過程。

ALTER Proc [dbo].[USP_GETFAQ] 
@SortBy Varchar(128)='CreatedDate DESC',    
@Page int=1,    
@RecsPerPage int =10,    
@Status Char(5)='',   
@Question varchar(500)='',   
@Answer varchar(1000)='' 
As  
DECLARE @SQL VARCHAR(MAX)    
DECLARE @DSQL VARCHAR(MAX)    
DECLARE @whereCondition VARCHAR(1024)    
DECLARE @FirstRec int, @LastRec int    
SET @FirstRec = (@Page - 1) * @RecsPerPage    
SET @LastRec = (@Page * @RecsPerPage + 1)    
Declare @SectionCount int;    
Set NoCount On    
Begin    
SET @SQL='Select    
    ROW_NUMBER() over(order by '+@SortBy +') rownum,    
* FROM faq where Status <>''D'''   
if @Status !='' and @Status is not null AND @Status!='ALL'   
begin   
SET @SQL+=' AND Status = '''+@Status+''''   
end   
if @Question!=''   
begin   
SET @SQL +=' AND Question like '''+'%'+REPLACE(@Question, '''', '')+'%'+'''' 
end   
if @Answer!=''   
begin   
SET @SQL +=' AND Answer like '''+'%'+REPLACE(@Answer, '''', '')+'%'+''''   
end   
SET @DSQL='SELECT * from (' + @SQL +') AS tbl'    
print @DSQL    
DECLARE @TEMPResult TABLE(RowNum INT,    
ID uniqueIdentifier,    
Question varchar(500),    
Answer varchar(1000),    
CreatedDate DateTime,    
LastModifiedDate dateTime,    
CreatedByIp varchar(20),    
LastModifiedByIp varchar(20),    
CreatedBy varchar(50),    
ModifiedBy varchar(50),    
[Order] int,    
Status char(5) 
)       
INSERT INTO @TEMPResult EXEC(@DSQL)    
SELECT (Select Count(*) from @TEMPResult) as Count,ID,SUBSTRING(question, 1, 200)question ,SUBSTRING(Answer, 1,250)Answer, 
CreatedDate,LastModifiedDate,CreatedByIp ,LastModifiedByIp,CreatedBy,ModifiedBy, [Order], Status FROM @TEMPResult WHERE RowNum > @FirstRec AND RowNum < @LastRec 
RETURN       
End 

當問題或答案包含 「」「 我得到錯誤。 synatx在「'」附近是錯誤的。

我有什麼到目前爲止已經試過是：

我有字符串傳遞給存儲過程之前取代了「‘‘與’‘’’」」。它運行成功但沒有返回任何記錄，請幫助我，我該怎麼做。

Answer 1

你的方法會導致SQL注入 MSDN SQL injection

嘗試使用EXEC sp_executesql @SQLString, @ParamDef, @paramList ...

MSDN sp_executesql

您的代碼：連續

ALTER Proc [dbo].[USP_GETFAQ] 
@SortBy Varchar(128)='CreatedDate DESC',    
@Page int=1,    
@RecsPerPage int =10,    
@Status Char(5)='',   
@Question varchar(500)='',   
@Answer varchar(1000)='' 
As  
DECLARE @SQL NVARCHAR(MAX)    

DECLARE @FirstRec int, @LastRec int    
SET @FirstRec = (@Page - 1) * @RecsPerPage    
SET @LastRec = (@Page * @RecsPerPage + 1)    
Declare @SectionCount int;    
Set NoCount On    
Begin 

SET @SQL='SELECT * from ( 
Select ROW_NUMBER() over(order by '+@SortBy +') rownum, 
    * FROM faq where Status <>''D'''   

if @Status !='' and @Status is not null AND @Status!='ALL'   
begin   
SET @SQL+=' AND Status = @Status '   
end   
if @Question!=''   
begin   
    SET @Question = '%'+@Question+'%' 
    SET @SQL +=' AND Question like @Question' 
end   
if @Answer!=''   
begin   
    SET @Answer = '%'+@Answer+'%' 
    SET @SQL +=' AND Answer like @Answer'   
end   
SET @SQL += ') AS tbl' 

print @SQL    

DECLARE @ParamDefinition nvarchar(4000) 

SET @ParamDefinition = 
'@Status Char(5), 
@Question varchar(500), 
@Answer varchar(1000)'; 

DECLARE @TEMPResult TABLE(RowNum INT,    
ID uniqueIdentifier,    
Question varchar(500),    
Answer varchar(1000),    
CreatedDate DateTime,    
LastModifiedDate dateTime,    
CreatedByIp varchar(20),    
LastModifiedByIp varchar(20),    
CreatedBy varchar(50),    
ModifiedBy varchar(50),    
[Order] int,    
Status char(5) 
)       
INSERT INTO @TEMPResult 
EXECUTE sp_executesql @SQL, @ParamDefinition 
        ,@Status = @Status 
        ,@Question = @Question 
        ,@Answer = @Answer 

SELECT (Select Count(*) from @TEMPResult) as Count,ID,SUBSTRING(question, 1, 200)question ,SUBSTRING(Answer, 1,250)Answer, 
CreatedDate,LastModifiedDate,CreatedByIp ,LastModifiedByIp,CreatedBy,ModifiedBy, [Order], Status FROM @TEMPResult WHERE RowNum > @FirstRec AND RowNum < @LastRec 
RETURN       
End 

Answer 2

用3個單引號。喜歡 '''。不要使用任何雙引號。