Solved

VB.NET App with SQL SELECT WHERE and Single Quote in Field

Posted on 2014-03-19
5
748 Views
Last Modified: 2014-03-19
I have the following code in a VB.NET Web Form app that searches for names in a FileTable:
Dim connectionString As String = "Data Source=AV-W12-ROMS-1;Initial Catalog=RESUMES;Integrated Security=True"
Dim sql As String = ""
Dim connection As New SqlConnection(connectionString)
Dim cmd As New SqlCommand
sql = "SELECT IsNull(COUNT(1),0) as 'count' FROM RESUMES.dbo.ftbl_resume_files WHERE CONTAINS([name],'" + search_name + "')"
connection.Open()
cmd.Connection = connection
cmd.CommandText = sql
name_count = cmd.ExecuteScalar()
connection.Close()

Open in new window

I ran into an error when one of the search_name field values was O'leary because of the single quote.  How can I avoid it but include it in the search?
0
Comment
Question by:wchestnut
  • 2
  • 2
5 Comments
 
LVL 34

Expert Comment

by:Dan Craciun
ID: 39940966
How about enclosing it between "" instead of '':
sql = "SELECT IsNull(COUNT(1),0) as 'count' FROM RESUMES.dbo.ftbl_resume_files WHERE CONTAINS([name],""" + search_name + """)"

Open in new window

HTH,
Dan
0
 

Author Comment

by:wchestnut
ID: 39940986
No, that didn't work... SQL didn't like the double-quotes.
New-SQL-String-Value.jpg
0
 
LVL 34

Expert Comment

by:Dan Craciun
ID: 39940996
Yeah, it's confusing. Try this:

sql = "SELECT IsNull(COUNT(1),0) as 'count' FROM RESUMES.dbo.ftbl_resume_files WHERE CONTAINS([name],""" + search_name + """ + ")"

Open in new window

0
 
LVL 52

Accepted Solution

by:
Carl Tawn earned 500 total points
ID: 39941007
If you're using inline SQL then you need to escape the single apostrophe with a double apostrophe:
sql = "SELECT IsNull(COUNT(1),0) as 'count' FROM RESUMES.dbo.ftbl_resume_files WHERE CONTAINS([name],'" + search_name.Replace("'", "''") + "')"

Open in new window

Although a parameterised query would be a neater, and safer, option.
0
 

Author Closing Comment

by:wchestnut
ID: 39941012
Thanks, Carl!  That worked perfectly!
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Performance is the key factor for any successful data integration project, knowing the type of transformation that you’re using is the first step on optimizing the SSIS flow performance, by utilizing the correct transformation or the design alternat…
Ever needed a SQL 2008 Database replicated/mirrored/log shipped on another server but you can't take the downtime inflicted by initial snapshot or disconnect while T-logs are restored or mirror applied? You can use SQL Server Initialize from Backup…
Familiarize people with the process of utilizing SQL Server functions from within Microsoft Access. Microsoft Access is a very powerful client/server development tool. One of the SQL Server objects that you can interact with from within Microsoft Ac…
Familiarize people with the process of retrieving data from SQL Server using an Access pass-thru query. Microsoft Access is a very powerful client/server development tool. One of the ways that you can retrieve data from a SQL Server is by using a pa…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now