逃生的即席查詢單引號

Question

我有以下查詢：

MySqlCommand command = new MySqlCommand(
@"SELECT `Customer ID`, `First Name`, `Last Name`, `Role` 
    FROM `Contacts` WHERE `Customer ID` = '" + customerID + "'", connection); 

如果客戶ID具有內撇號（即Adam's Meat），我得到的錯誤：

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's Meat'' at line 1

是什麼使這個查詢工作的最好方法是什麼？

Answer 1

你應該用參數來代替，這樣還可以防止SQL注入：

MySqlCommand command = new MySqlCommand(@"SELECT `Customer ID`, `First Name`, `Last Name`, `Role` FROM `Contacts` WHERE `Customer ID` = ?CostumerID", connection); 
command.Parameters.Add("?CustomerID", customerID);