How to put ' and " into sql

Igor · Jul 12, 2007

I need to put " and ' into sql server database.
I write:
string SQL = "INSERT INTO SomeTable (Email, Message) VALUES (' +
txtName.Text + "','" + txtMessage.text +')";

What if someone enters character ' in text box? Than I got error message
because ' is character for strings in sql. Then my sql query have more
fields because of this characters. How can I put ' and " into sql database?

Patrice · Jul 12, 2007

You could double quotes but it's better to use parameters so that you don't
have to escape quotes, format properly dates and decimal numbers (for
example if the app runs in a foreign country you could easily insert 2,5
instead of 2.5 in a SQL String etc) plus added security against SQL
injection attacks...

If your DB doesn"t support name parameters you can use ? instead.

Try :
http://aspnet101.com/aspnet101/tutorials.aspx?id=1

Guest · Jul 12, 2007

Igor,

You can always double your quote - just use string.Replace function.
Another way would be to create parametarized query, similar to the following:
string SQL = "insert into someTable (Email, Message) values (@Email,
@Message)";

This way you will not have to wory about quotes, and also quard yourself
against SQL injection attacks

Alex Meleta · Jul 12, 2007

Hi Igor,

I> string SQL = "INSERT INTO SomeTable (Email, Message) VALUES (' +
I> txtName.Text + "','" + txtMessage.text +')";

Avoid to combine the command into the string by security reasons. You should
use command parameters instead. See there:
http://www.csharp-station.com/Tutorials/AdoDotNet/Lesson06.aspx

Regards, Alex Meleta
[TechBlog] http://devkids.blogspot.com

Eliyahu Goldin · Jul 12, 2007

You should never insert user input directly into sql statements. Are you
aware of sql injection?

You should put the user input into query parameters. It will also solve your
original problem.

--
Eliyahu Goldin,
Software Developer
Microsoft MVP [ASP.NET]
http://msmvps.com/blogs/egoldin
http://usableasp.net

=?ISO-8859-1?Q?G=F6ran_Andersson?= · Jul 12, 2007

Igor said:
I need to put " and ' into sql server database.
I write:
string SQL = "INSERT INTO SomeTable (Email, Message) VALUES (' +
txtName.Text + "','" + txtMessage.text +')";

What if someone enters character ' in text box? Than I got error message
because ' is character for strings in sql. Then my sql query have more
fields because of this characters. How can I put ' and " into sql database?

As everyone already has said, you should use a parameterised query.

If you for some reason choose to format the string yourself, the first
thing you have to do is to find out how to escape the strings properly.
That depends on what database you are using, and if you don't do it
correctly, your application is wide open for sql injections. (That's why
you should use parameters.)

For MS SQL Server and MS Access you encode the string by replacing
apostrophes with double apostrophes.

For MySQL you encode the string by replacing \ with \\ and ' with \', in
that order.

Problem with a login script, SESSION user rights and put this together so it works with the other pages and MySQL. Code examples.	2	May 5, 2023
How to put loop result in csv file	1	Jan 3, 2023
How to store data from a sign up form on a website into an sql databse	1	Sep 9, 2022
How to login using PDO	3	Jul 21, 2021
How to write an advanced search?	3	Mar 2, 2022
How to change star rating color on mouseenter, on mouseout, and on onclick	0	Sep 28, 2018
How to save textBox values into a xml-file(with naming an choosing directory)?	1	Aug 23, 2022
Having a problem in one of my assignments - NEED HELP	0	Jul 20, 2023

How to put ' and " into sql

Igor

Patrice

Guest

Alex Meleta

Eliyahu Goldin

=?ISO-8859-1?Q?G=F6ran_Andersson?=

Ask a Question

Similar Threads

Members online

Forum statistics

Latest Threads