• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1222
  • Last Modified:

Escaping Single Quote in C# for the string inserted into SQL Server Database

I am trying to use the Replace method in the C# code behind to escape single quotes (change it to double quotes). However, when the stored proc SaveMktMessForGivenProductType is run, the data is incorrectly inserted with double quotes rather than a single quote. I replaced the single quote to double quote in order to escape it and avoid erroring in SQL script, not for it to be inserted with the replaced extra quote within the database. Please see the code section and see if you can find a reason why the data is inserted with double quotes. Please help.
dsMktMessage = rdg.GetMktMessForGivenProductType("GetMktMessForGivenProductType", _ProductTypeID, "ProductTypeID", _HandheldIDMktMess, "HandheldID");
                        
                        dsMktMessage.Tables[0].TableName = MKTMESSAGING;

                        if (dsMktMessage.Tables[MKTMESSAGING].Rows.Count > 0)
                        {
                            _MktMessageOrigText = dsMktMessage.Tables[MKTMESSAGING].Rows[0]["MktMessage"].ToString();
                            _KeySellPtOrigText = dsMktMessage.Tables[MKTMESSAGING].Rows[0]["KeySellPt"].ToString();
                        }

                        rdg.SaveMktMessForGivenProductType("SaveMktMessForGivenProductType", _ProductTypeID, _HandheldIDMktMess, _MktMessageText.Replace("'", "''"), _KeySellingPointsText.Replace("'", "''"), _MktMessageOrigText.Replace("'", "''"), _KeySellPtOrigText.Replace("'", "''"));

Open in new window

0
skaleem1
Asked:
skaleem1
1 Solution
 
Carl TawnSystems and Integration DeveloperCommented:
How are you writing to the database, are you parameterised queries? If you are then you don't need to escape the apostrophe, it will be done automatically.
0
 
Todd GerbertIT ConsultantCommented:
You should use parameters instead of trying to escape the quotes... rdg.SaveMktMessForGivenProductType() is your method, and in it using a SqlConnection/SqlCommand?  If so, then you could use a method like below and pass in strings with single quotes without needing to escape them.

static void SaveRecordToDbTest(string field1, string field2)
{
	SqlConnection connection = new SqlConnection("Connection String");
	SqlCommand command = connection.CreateCommand();

	command.CommandText = "INSERT INTO TableName (FieldNameOne,FieldNameTwo) VALUES(@FieldOneValue, @FieldTwoValue)";
	command.Parameters.AddWithValue("@FieldOneValue", field1).DbType = DbType.String;
	command.Parameters.AddWithValue("@FieldTwoValue", field2).DbType = DbType.String;
	command.ExecuteNonQuery();

	command.Dispose();
	connection.Close();
	connection.Dispose();
}

Open in new window

0
 
skaleem1Author Commented:
This is the method I am calling:

public void SaveMktMessForGivenProductTypeAndHandheld(string StoredProcName, string ProductTypeID, string HandheldIDMktMess, string MktMessageText, string KeySellingPointsText, string MktMessageOrigText, string KeySellPtOrigText)
        {
            Database theDB = DatabaseFactory.CreateDatabase("AccessoriesConnectionString");
            theDB.ExecuteNonQuery(StoredProcName, new object[] { ProductTypeID, HandheldIDMktMess, MktMessageText, KeySellingPointsText, MktMessageOrigText, KeySellPtOrigText });
        }
0
Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

 
skaleem1Author Commented:
Using Enterprise Library 4.1
0
 
cyberkiwiCommented:
The only things I can think of

... if you mean double-quotes as in the "double quote", then it is contained in the data itself.

... if you mean double-quotes as in TWO x single-quotes, then SaveMktMessForGivenProductType may ALSO contain the replace-protect single-quotes. In which case you are doing it twice.
0
 
Carl TawnSystems and Integration DeveloperCommented:
Well from your definition you appear to be using a stored procedure, so escaping the apostrophes shouldn't be necessary.
0
 
skaleem1Author Commented:
Thanks carl_tawn. I removed the replace method to escape single quote and the data is inserted as expected.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now