Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 582
  • Last Modified:

Apostrophe in insert command

When trying to insert a sentence with an apostrophe, nothing happens. I reckon its because the sign is code as well and it destroys the meaning of the page for the system, is there anyway around it?
0
Vx_Chemical
Asked:
Vx_Chemical
  • 2
  • 2
  • 2
  • +4
2 Solutions
 
Guy Hengel [angelIII / a3]Billing EngineerCommented:
I presume you are building the SQL query ad-hoc using user input.

you should use parametrized queries, that way this issue, including SQL Injection, will be solved (and code will be more readable also, queries should execute faster etc)
0
 
Guy Hengel [angelIII / a3]Billing EngineerCommented:
0
 
Jini Jose.Net Team LeadCommented:
TRY THIS


cQuery = "INSERT INTO [PAList]" +
                    " ([PAListId],[NomineeName])" +
                    " SELECT" +
                    " @PAListId" +
                    " ,@NomineeName";

            SqlParameter[] oparam = new SqlParameter[2];
            oparam[0] = new SqlParameter("@PAListId", PAListId);
            oparam[2] = new SqlParameter("@NomineeName", txtNomineeName.Text);

            try
            {
                SQLData.ExecuteNonQuery(Util.Constring, CommandType.Text, cQuery, oparam);
                lblMessage.Text = "Successfully Updated";
            }
            catch (Exception ex)
            {
                lblMessage.Text = ex.Message;
            }

Open in new window

0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
muhammadyasirCommented:
use the StoredProcedure to insert any data then there will be no problem.
0
 
Rajar AhmedConsultantCommented:
Just Replace one Apstrophe with one more



fStory = replace ( fStory ,"'","''")

INSERT Table1 (chColumnName) VALUES (fStory)

Open in new window

0
 
HugoHiaslCommented:
Like angellll said. It's a good approach to always use parametrized queries.

This will also keep your system clean and secure from sql injections in log in screens. It helps you also when you are dealing with utf8 characters etc...
0
 
JuniorMemberCommented:
there are two ways to do this:

A. the safest method is to use a parameter based approach (sql procedure or just SqlParameter):
******************************************************************************************
SqlCommand cmd = new SqlCommand();
cmd.Connection = conn;
cmd.CommandText = "INSERT INTO Table1 (FirstName, Address) VALUES (@FirstName, @Address)";

            SqlParameter SqlParameter1 = new SqlParameter("@FirstName", Textbox1.Text);
            cmd.Parameters.Add(SqlParameter1);

            SqlParameter SqlParameter2 = new SqlParameter("@Address", Textbox2.Text);
            cmd.Parameters.Add(SqlParameter2);

cmd.ExecuteNonQuery();




B. add one extra line before the sql excution:
******************************************************************************************
1 mysqlstring = Textbox1.Text;
2 mysqlstring = mysqlstring.Replace( "'", "'" + CHAR(29) + "'" );
3 //execute the SQL mysqlstring here;


0
 
Jini Jose.Net Team LeadCommented:
if you are using parametered query then there is no need for a replacement for ( ' ).
0
 
Vx_ChemicalAuthor Commented:
The system i am using is on a secure network with only cleared users. So if i didnt want to change too much of the code. How would i easiest exchange one ` for two ``
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 2
  • 2
  • 2
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now