• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 249
  • Last Modified:

String and Quotes in them

I have the following SELECT Statement.

dbcommand.CommandText = "SELECT * FROM tblUsers WHERE Username=" + uname;

However, in order for it to work properly I have to put quotes around the reseult of the pased uname variable.  How do I do this in C#.

So if uname was passed as Mike, the SELECT statment would need to be SELECT * FROM tblUsers WHERE Username="Mike"
I can not get the quotes around the name.

1 Solution
Éric MoreauSenior .Net ConsultantCommented:
Hi sneeri_c,

dbcommand.CommandText = "SELECT * FROM tblUsers WHERE Username= '" + uname + "'";

Just to add to emoreau (that's completely right):

usually single quotes are used and the way is shown above. If you need double quotes on some a reason use escape chars:

"SELECT * FROM tblUsers WHERE Username=\"" + uname + "\"";
Of course, this is an invitation to a code injection attack. You should use a command with parameters instead.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Train for your Pen Testing Engineer Certification

Enroll today in this bundle of courses to gain experience in the logistics of pen testing, Linux fundamentals, vulnerability assessments, detecting live systems, and more! This series, valued at $3,000, is free for Premium members, Team Accounts, and Qualified Experts.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now