Problem with sending (') in string

Question

Hi,

I have problem, i have designed a web page in asp.net 3.5. I have a TextBox and a button, the User is expected to write some comment in the TextBox. The TextBox can also have a comment pattern including a (') on the click of button the data in the TextBox will be inserted into SQL.

Now the problem is : as you know that if u insert something in Varchar it has to be enclosed in ('), but in above case due to (') in the string itself there will be an error

So, is there a way to insert the data in SQL.

Thanks
Pankaj

naura pax · Answer

hi Pankaj,
if you are creating dynamic query then at the time of creating sql string you can do following example :

 wherestring+=txt.Replace("'","''");

// single quote is passed string in
//first parameter and single quote is written twice '' for second.

Master Billa · Answer

Hi

when you are use the single quite you need add extra two quote to string.or else is make to sql injection.

About this please take look,

http://archives.devshed.com/forums/windows-107/sql-injecttion-401471.html

thank you

Pankaj Singh · Answer

Thanks

Pankaj Singh · Answer

Thanks

Kirtan Patel · Answer

Hi you just need to Replace every Single timeWriten Quote to Double Time

suppose you are inserting

string " pankaj's Name "

then you should write String Like

"Pankaj' 's name " { Dobule time Single Quotes before 's' )

Thats it :)

Better to Write Function That Will Replace Every Single Time Quote to Write it Double time in String

public string CSQ(string str)
{

return Strings.Replace(str, "'", "''");
}

if i Helps you please check "Do you like this answer"

jinge · Answer

Please see the following two links:
http://it.toolbox.com/wiki/index.php/How_do_I_escape_single_quotes_in_SQL_queries%3F
http://blog.sqlauthority.com/2008/02/17/sql-server-how-to-escape-single-quotes-fix-error-105-unclosed-quotation-mark-after-the-character-string/