Inserting strings into a database

I am more a of PHP programmer and I'm used to mysql_real_escape_string (basically escapes special character that would produce SQL errors for those who never touched PHP). Is there a similiar function or method to safely insert strings into a database in Visual Basic .NET using Microsoft SQL Server 2005 Express Edition? Code would help. Thanks.
LVL 2
LinkyAsked:
Who is Participating?
 
tpwellsConnect With a Mentor Commented:
ADO.NET connector Parameters help to make sure the data is "safe" for execution agains the database.

Are you using ODBC or the MySql.Data provider to access your database?

I use MySql.Data
found at:http://dev.mysql.com/downloads/connector/net/1.0.html

      Dim cn as new MySqlConnection(connection_string)
      cn.Open()
      Dim cm as new MySqlCommand = cn.CreateCommand()

      cm.CommandText = "INSERT into myTable (column1,column2,column3) VALUES (?column1,?column2,?column3)"

      cm.Parameters.Add("?column1",MyValue1)
      cm.Parameters.Add("?column2",MyValue2)
      cm.Parameters.Add("?column3",MyValue3)

      cm.ExecuteNonQuery()

      cn.Close()


If you use ODBC then I think you need to replace the "?"s with "@"

0
 
newyuppieCommented:
in this link i found a C# function that is supposed to imitate this functionality. translated to vb.net using online free translator:

http://mysql.speedbone.de/doc/refman/5.0/en/connector-net-architecture-connection.html
**
Private Function escapeSQL(ByVal text As String) As String
 Dim invalidSQLChars As String() = New String(7) {"" & Microsoft.VisualBasic.Chr(0) & "", "" & Microsoft.VisualBasic.Chr(10) & "", "" & Microsoft.VisualBasic.Chr(13) & "", "\", "'", """", "ยก"}
 Dim i As Integer = 0
 While i < invalidSQLChars.Length
   text = text.Replace(invalidSQLChars(i), "\" + invalidSQLChars(i))
   System.Math.Min(System.Threading.Interlocked.Increment(i),i-1)
 End While
 Return text
End Function

you would need to pass an unsafe string to this function and it would return a safe string hopefully
0
 
newyuppieConnect With a Mentor Commented:
dont know why this line got added: System.Math.Min(System.Threading.Interlocked.Increment(i),i-1). if function is not working just remove that line (i dont much like it)


original C# code in case you can translate:
private string escapeSQL(string text) {
// imitates behaviour of the PHP mysql_real_escape_string function
string[] invalidSQLChars = new string[7] {"\x00", "\n", "\r", "\\", "'", "\"", "\x1a"};
for (int i = 0; i < invalidSQLChars.Length; i++)
text = text.Replace(invalidSQLChars[i], "\\" + invalidSQLChars[i]);
return text;
}
0
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LinkyAuthor Commented:
Yes but shouldn't there be a built in function that does it?
0
 
newyuppieCommented:
if there should, i havent heard about it.
0
 
LinkyAuthor Commented:
Thanks tpwells, that method works well.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.