C# and ADO.Net - Cheap Question!

TheMSsForum.com: The Microsoft Software Forum

Hi,

I'd like to INSERT a string into a database using C#. The way I've tried
it is the following:

sQuery = string.Format("INSERT INTO myTable (Header, Body) VALUES
('{0}','{1}')", sHeader, sBody);

It works fine until I have an occurence of ' (an apostrophy) in either
the string-variables sHeader or sBody. How can I circumvent this?

Thanks in advance!

--
/Matthias
Top

Re: C# and ADO.Net - Cheap Question! by Zak

Zak
Thu Mar 31 17:43:16 CST 2005

How about prefixing the apostrophy with the "\" escape character, in other
words "\'" ?

"Matthias S." <postamt@_remove_emvoid_remove_.de> wrote in message
news:u4pH$ikNFHA.2252@TK2MSFTNGP15.phx.gbl...
> Hi,
>
> I'd like to INSERT a string into a database using C#. The way I've tried
> it is the following:
>
> sQuery = string.Format("INSERT INTO myTable (Header, Body) VALUES
> ('{0}','{1}')", sHeader, sBody);
>
> It works fine until I have an occurence of ' (an apostrophy) in either
> the string-variables sHeader or sBody. How can I circumvent this?
>
> Thanks in advance!
>
> --
> /Matthias


Top

Re: C# and ADO.Net - Cheap Question! by Zak

Zak
Thu Mar 31 17:43:16 CST 2005

How about prefixing the apostrophy with the "\" escape character, in other
words "\'" ?

"Matthias S." <postamt@_remove_emvoid_remove_.de> wrote in message
news:u4pH$ikNFHA.2252@TK2MSFTNGP15.phx.gbl...
> Hi,
>
> I'd like to INSERT a string into a database using C#. The way I've tried
> it is the following:
>
> sQuery = string.Format("INSERT INTO myTable (Header, Body) VALUES
> ('{0}','{1}')", sHeader, sBody);
>
> It works fine until I have an occurence of ' (an apostrophy) in either
> the string-variables sHeader or sBody. How can I circumvent this?
>
> Thanks in advance!
>
> --
> /Matthias


Top

Re: C# and ADO.Net - Cheap Question! by Matthias

Matthias
Thu Mar 31 18:01:42 CST 2005

Thanks for your reply. I actually don't know whether the sHeader or
sBody contain a '.

So if I go and Replace all occurences of ' with \' my querystring looks
like this:

"INSERT INTO myTable (Header, Body) VALUES ('thei\'re house is
fine.','house')"

Which is not quite what I expected. Again, thanks for your help which is
highly appreceated.

/Matthias

Zak wrote:
> How about prefixing the apostrophy with the "\" escape character, in other
> words "\'" ?
>
> "Matthias S." <postamt@_remove_emvoid_remove_.de> wrote in message
> news:u4pH$ikNFHA.2252@TK2MSFTNGP15.phx.gbl...
>
>>Hi,
>>
>>I'd like to INSERT a string into a database using C#. The way I've tried
>>it is the following:
>>
>>sQuery = string.Format("INSERT INTO myTable (Header, Body) VALUES
>>('{0}','{1}')", sHeader, sBody);
>>
>>It works fine until I have an occurence of ' (an apostrophy) in either
>>the string-variables sHeader or sBody. How can I circumvent this?
>>
>>Thanks in advance!
>>
>>--
>>/Matthias
>
>
>
Top

Re: C# and ADO.Net - Cheap Question! by Bruce

Bruce
Thu Mar 31 18:31:12 CST 2005

You have two choices. Either write a method like this:


/// <summary>
/// Escapes the given text so that it can appear within single
quotes in a
/// <see cref="DataColumn.Expression"/>.
/// </summary>
/// <param name="textToEscape">The string to escape.</param>
/// <returns>The escaped string, ready to be included in a
/// <see cref="DataColumn.Expression"/>.</returns>
public static string EscapeText(string textToEscape)
{
string backslashesEscaped = textToEscape.Replace(@"\",
@"\\");
string backslashAndSingleQuoteEscaped =
backslashesEscaped.Replace(@"'", @"\'");

return backslashAndSingleQuoteEscaped;
}

and say

sQuery = String.Format("INSERT INTO myTable (Header, Body) VALUES
('{0}','{1}')", EscapeText(sHeader), EscapeText(sBody));

or, even better, use parameters when you're building your SQL command.
If you're using Odbc, for example, look at the OdbcParameter class.

Parameters are the preferred way to do things, because then you can
never forget to escape strings and you're not subject to SQL injection
attacks as a result. However, be forewarned that there is a bug in
.NET's ODBC support that makes decimal parameters blow up, so you have
to insert decimal values directly into the query string as you're doing.

Top

Re: C# and ADO.Net - Cheap Question! by Val

Val
Thu Mar 31 19:52:11 CST 2005

Hi,

To avoid this issue you need to pass values as a parameters, not to
concatenate SQL statement. In this case provider will handle single quotes
properly regardless how many of them are in a value(s). It also handles
other special characters

--
Val Mazur
Microsoft MVP

http://xport.mvps.org



"Matthias S." <postamt@_remove_emvoid_remove_.de> wrote in message
news:u4pH$ikNFHA.2252@TK2MSFTNGP15.phx.gbl...
> Hi,
>
> I'd like to INSERT a string into a database using C#. The way I've tried
> it is the following:
>
> sQuery = string.Format("INSERT INTO myTable (Header, Body) VALUES
> ('{0}','{1}')", sHeader, sBody);
>
> It works fine until I have an occurence of ' (an apostrophy) in either the
> string-variables sHeader or sBody. How can I circumvent this?
>
> Thanks in advance!
>
> --
> /Matthias


Top

C# and ADO.Net - Cheap Question! by Elton

Elton
Thu Mar 31 22:13:21 CST 2005

It's better to use parametere or replace the single quotes
with double quotes to avoid SQL-injection.

HTH

Elton Wang
elton_wang@hotmail.com

>-----Original Message-----
>Hi,
>
>I'd like to INSERT a string into a database using C#. The
way I've tried
>it is the following:
>
>sQuery = string.Format("INSERT INTO myTable (Header,
Body) VALUES
>('{0}','{1}')", sHeader, sBody);
>
>It works fine until I have an occurence of ' (an
apostrophy) in either
>the string-variables sHeader or sBody. How can I
circumvent this?
>
>Thanks in advance!
>
>--
>/Matthias
>.
>
Top

Re: C# and ADO.Net - Cheap Answer! - was Re: C# and ADO.Net - Cheap Question! by Stephany

Stephany
Thu Mar 31 23:13:03 CST 2005

If you do it properly and use use either a parametised SQLCommand or
parametised OleDbCommand object than you won't have this issue.


"Matthias S." <postamt@_remove_emvoid_remove_.de> wrote in message
news:u4pH$ikNFHA.2252@TK2MSFTNGP15.phx.gbl...
> Hi,
>
> I'd like to INSERT a string into a database using C#. The way I've tried
> it is the following:
>
> sQuery = string.Format("INSERT INTO myTable (Header, Body) VALUES
> ('{0}','{1}')", sHeader, sBody);
>
> It works fine until I have an occurence of ' (an apostrophy) in either the
> string-variables sHeader or sBody. How can I circumvent this?
>
> Thanks in advance!
>
> --
> /Matthias


Top

Re: C# and ADO.Net - Cheap Answer! - was Re: C# and ADO.Net - Cheap Question! by mboizeau

mboizeau
Fri Apr 01 02:31:29 CST 2005

Yes i think too that parameterize an oledbcomamand is the solution is
the solutions.
I ve put a sample code here :
http://oraclevsmicrosoft.blogs=ADpot.com/2005/03/quotes-paramet=ADers.html



hope this helps


Marc Boizeau=20


http://oraclevsmicrosoft.blogs=ADpot.com

Top