<div>
I second the use of parameterized queries. Using string concatenation to build queries opens you up to <a href="http://en.wikipedia.org/wiki/SQL_injection" rel="ugc">SQL Injection</a> attacks.
</div>


I second the use of parameterized queries. Using string concatenation to build queries opens you up to SQL Injection [http://en.wikipedia.org/wiki/SQL_injection] attacks.

<div>
<div class="content wysiwyg-content">
I want to do an insert into an SQL Server table but some of the variables have embeded quotes and commas<br />
<br />
How do I insert variables that have embedded quotes and commas?<br />
<br />
Example<br />
<br />
strContactName = Drake, Tree, Castles &nbsp;(has a comma)<br />
strContactLocation = Tree's are Us &nbsp; (has a single quote)<br />
<br />
When I try and Insert these I get an error how do I work around it.<br />
<br />
sql = &quot;insert into Contacts(ContactName, ContactLocation) &quot;;<br />
sql = sql + &quot;&nbsp;values('&quot; + strContactName + &quot;',&quot; + strContactLocation + &quot;')&quot;;<br />
cmdw.CommandText = sql;
</div>
</div>


I want to do an insert into an SQL Server table but some of the variables have embeded quotes and commas

How do I insert variables that have embedded quotes and commas?

Example

strContactName = Drake, Tree, Castles  (has a comma)
strContactLocation = Tree's are Us   (has a single quote)

When I try and Insert these I get an error how do I work around it.

sql = "insert into Contacts(ContactName, ContactLocation) ";
sql = sql + " values('" + strContactName + "'," + strContactLocation + "')";
cmdw.CommandText = sql;

C# SQL Server Insert Embedded quotes

C# is an object-oriented programming language created in conjunction with Microsoft’s .NET framework. Compilation is usually done into the Microsoft Intermediate Language (MSIL), which is then JIT-compiled to native code (and cached) during execution in the Common Language Runtime (CLR).