scape sequence in insert query
-
hi all:) i am submitting a query like insert into test(PID,Details)values(2,'"+txtdetails.Text+"') problem with me if the txtdetails contain the string like "amit's bother resides in delhi" the character(') create a problem. i don't want any loop to check the index of the character(') because the string is too large having number of character like('). please just i want a simple query to insert the string. thanks in advance, srinandan
-
hi all:) i am submitting a query like insert into test(PID,Details)values(2,'"+txtdetails.Text+"') problem with me if the txtdetails contain the string like "amit's bother resides in delhi" the character(') create a problem. i don't want any loop to check the index of the character(') because the string is too large having number of character like('). please just i want a simple query to insert the string. thanks in advance, srinandan
insert into test(PID,Details)values(2,'"+txtdetails.Text+"') used command parameters int ptd1=2; cmd = new SqlCommand("Insert into test(PTD,Details) values (@ptd,@details1)",connection name) cmd.Parameters.Add("@ptd",ptd) cmd.Parameters.Add("@details1",txtdetails.text.trim()); myconn.Open(); cmd.ExecuteNonQuery(); myconn.Close(); or simple insert 2 and use parameter for second one. anuj
dcjoshi2
-
hi all:) i am submitting a query like insert into test(PID,Details)values(2,'"+txtdetails.Text+"') problem with me if the txtdetails contain the string like "amit's bother resides in delhi" the character(') create a problem. i don't want any loop to check the index of the character(') because the string is too large having number of character like('). please just i want a simple query to insert the string. thanks in advance, srinandan
-
hi all:) i am submitting a query like insert into test(PID,Details)values(2,'"+txtdetails.Text+"') problem with me if the txtdetails contain the string like "amit's bother resides in delhi" the character(') create a problem. i don't want any loop to check the index of the character(') because the string is too large having number of character like('). please just i want a simple query to insert the string. thanks in advance, srinandan
What you are trying to do is incredibly dangerous. You should never insert user submitted text directly into a database in this way because you are opening up your application to a SQL injection attack. See this article for more info: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/PAGHT000002.asp?_r=1[^]