Idarac
asked on
C# SQL Server Insert Embedded quotes
I want to do an insert into an SQL Server table but some of the variables have embeded quotes and commas
How do I insert variables that have embedded quotes and commas?
Example
strContactName = Drake, Tree, Castles (has a comma)
strContactLocation = Tree's are Us (has a single quote)
When I try and Insert these I get an error how do I work around it.
sql = "insert into Contacts(ContactName, ContactLocation) ";
sql = sql + " values('" + strContactName + "'," + strContactLocation + "')";
cmdw.CommandText = sql;
How do I insert variables that have embedded quotes and commas?
Example
strContactName = Drake, Tree, Castles (has a comma)
strContactLocation = Tree's are Us (has a single quote)
When I try and Insert these I get an error how do I work around it.
sql = "insert into Contacts(ContactName, ContactLocation) ";
sql = sql + " values('" + strContactName + "'," + strContactLocation + "')";
cmdw.CommandText = sql;
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I second the use of parameterized queries. Using string concatenation to build queries opens you up to SQL Injection attacks.
ASKER
Thank you