RichTextbox

Socheat Net

I have forum page in my web site, i want user to type comments and can insert icon also like richtextbo, but i don'w know, one thing i have problem with symbal such as single quote i can not insert in to database by using ASP.NET:zzz: ................

Paddy Boyd

Use a properly parameterised query and you should be fine.

Socheat Net

I don't know how to use it ................

Paddy Boyd

Can i point you towards google?

//Start connection and create command object etc.

string mySql;

mySql = "Insert into myTable (aField) values (@MyValue)"

sqlCommand.CommandType = CommandType.Text;
sqlCommand.CommandText = mySql;
sqlCommand.Parameters.Add(new SqlParameter("@MyValue", theActualValue));

//Execute your command

This is roughly the syntax.

Socheat Net

It is possible if i use it in Microsoft Access? ................

Paddy Boyd

My isn't google[^] wonderful.

Mihai Drebot

There is an esier fix for this specific problem, although it's not highly recomended: use a [your_string].Replace("'","''"); This fixes the ' ruining your sql sintax. Just make sure you read a bit about sql injection threat. You realy should try and use strong typed, prametrized stored procedures. Mihai Voicu Drebot, .Net developer

Sushant Duggal

Hi, you can either replace single quote with two single quotes or use HttpUtility.HtmlEncode("YOUR TEXT") before inserting it to database... and use HttpUtility.HtmlDecode("DB CONTENTS") before displaying it. I hope it helps you Thanks Sushant Duggal.

Socheat Net

Can give an example? ................

Socheat Net

Can u give me sql statement? ................

Sushant Duggal

suppose your freetextbox ID is txtContents so what we do is : string sqlQuery = "insert into tablename(contents) values('" + HttpUtility.HtmlEncode(txtContents.Text) + "')"; now use this query to insert the record. When you try to display this data .... suppose you get data back from database in dataset. and column name is Content string returnedContents = HttpUtility.HtmlDecode(ds.tables[0].rows[0]["Content"].ToString()); Now you can display it in the page. I am typing directly here, so please check typo mistakes. Thanks Sushant Duggal.

Mihai Drebot

say you have to store a string , myString, in a table named demoTable, in the info field you would simply have this sql: @"insert into demoTable (info) values ('"+myString+"')" before you do that, you have to do this: myString = myString.Replace("'","''"); this way, you have 2 ' instead of one, and that's interpreted by the sql as a single quote inside a string value, rather than a single quote terminating the string value. Again, make sure you read about the sql injection attacks