single quotes in vb.net
-
Thank You sir.
While the previous poster did answer your question the result is very poor and potentially dangerous advice. That way SQL Injection Attacks lay. Please read SQL Injection Attacks and Tips on How To Prevent Them[^] and then change your code to use parameterised queries rather than string substitution.
Upcoming events: * Glasgow: SQL Server 2005 - XML and XML Query Plans, Mock Objects, SQL Server Reporting Services... Never write for other people. Write for yourself, because you have a passion for it. -- Marc Clifton My website
-
Hi, Yes u can add quotes just by replacing single quote with double quote. Replacing will add only single quote in database. Example: strName=Xyz's "Insert into table1(Name) Values('" & Replace(strName,"'","''") & "')" Regards Ali Raza
That way SQL Injection Attacks lay - While you did answer the OP's question, the better answer would have been to replace string injection with parameterised queries. That way you don't have to worry about apostrophes in the data and you help prevent SQL Injection Attacks. Please read SQL Injection Attacks and Tips on How to Prevent Them[^]
Upcoming events: * Glasgow: SQL Server 2005 - XML and XML Query Plans, Mock Objects, SQL Server Reporting Services... Never write for other people. Write for yourself, because you have a passion for it. -- Marc Clifton My website
-
yes, you can. try following format str="insert into table1 values (" & """" & var1 & """" & ")" where var1 may contain single & double quotes. hope this helps
Rupesh Kumar Swami Software Engineer, Integrated Solution, Bikaner (India)
Not another one. Please please please! Will people please learn about SQL Injection Attacks! If you see someone asking a question like this again the best course is to guide them towards parameterised queries as it helps prevent SQL Injection Attacks. Any answer that still involved injecting data in to a SQL String is potentially dangerous. Please read SQL Injection Attacks and Tips on How to Prevent Them[^]
Upcoming events: * Glasgow: SQL Server 2005 - XML and XML Query Plans, Mock Objects, SQL Server Reporting Services... Never write for other people. Write for yourself, because you have a passion for it. -- Marc Clifton My website
-
Not another one. Please please please! Will people please learn about SQL Injection Attacks! If you see someone asking a question like this again the best course is to guide them towards parameterised queries as it helps prevent SQL Injection Attacks. Any answer that still involved injecting data in to a SQL String is potentially dangerous. Please read SQL Injection Attacks and Tips on How to Prevent Them[^]
Upcoming events: * Glasgow: SQL Server 2005 - XML and XML Query Plans, Mock Objects, SQL Server Reporting Services... Never write for other people. Write for yourself, because you have a passion for it. -- Marc Clifton My website
-
Not another one. Please please please! Will people please learn about SQL Injection Attacks! If you see someone asking a question like this again the best course is to guide them towards parameterised queries as it helps prevent SQL Injection Attacks. Any answer that still involved injecting data in to a SQL String is potentially dangerous. Please read SQL Injection Attacks and Tips on How to Prevent Them[^]
Upcoming events: * Glasgow: SQL Server 2005 - XML and XML Query Plans, Mock Objects, SQL Server Reporting Services... Never write for other people. Write for yourself, because you have a passion for it. -- Marc Clifton My website
"If it's not Scottish - It's CR****P!"
A guide to posting questions on CodeProject[^]
Dave Kreskowiak Microsoft MVP Visual Developer - Visual Basic
2006, 2007 -
yes, you can. try following format str="insert into table1 values (" & """" & var1 & """" & ")" where var1 may contain single & double quotes. hope this helps
Rupesh Kumar Swami Software Engineer, Integrated Solution, Bikaner (India)
Hi, I don't know if could exist other problems, but I've resolved the problem doubling the apostrophes: str="INSERT INTO Table1 VALUES(" & Replace(Var1,"'","''") & ")" In this way, SQL injection by writing apostrophes is not possible (or it is anyway ?)
Peace!
-
Hi, I don't know if could exist other problems, but I've resolved the problem doubling the apostrophes: str="INSERT INTO Table1 VALUES(" & Replace(Var1,"'","''") & ")" In this way, SQL injection by writing apostrophes is not possible (or it is anyway ?)
Peace!
But you are still injecting values into the SQL command. If you are injecting values in to the SQL command then attacks are possible. That's why it is called a SQL injection attack.
Upcoming events: * Glasgow: SQL Server 2005 - XML and XML Query Plans, Mock Objects, SQL Server Reporting Services... Never write for other people. Write for yourself, because you have a passion for it. -- Marc Clifton My website
-
"If it's not Scottish - It's CR****P!"
A guide to posting questions on CodeProject[^]
Dave Kreskowiak Microsoft MVP Visual Developer - Visual Basic
2006, 2007Dave Kreskowiak wrote:
"If it's not Scottish - It's CR****P!"
Gaun yersel there, Big Yin.
Upcoming events: * Glasgow: SQL Server 2005 - XML and XML Query Plans, Mock Objects, SQL Server Reporting Services... Never write for other people. Write for yourself, because you have a passion for it. -- Marc Clifton My website
-
Dave Kreskowiak wrote:
"If it's not Scottish - It's CR****P!"
Gaun yersel there, Big Yin.
Upcoming events: * Glasgow: SQL Server 2005 - XML and XML Query Plans, Mock Objects, SQL Server Reporting Services... Never write for other people. Write for yourself, because you have a passion for it. -- Marc Clifton My website
Colin Angus Mackay wrote:
Gaun yersel there, Big Yin.
It took me a minute to figure that one out! :-D Thank you!
A guide to posting questions on CodeProject[^]
Dave Kreskowiak Microsoft MVP Visual Developer - Visual Basic
2006, 2007 -
Not another one. Please please please! Will people please learn about SQL Injection Attacks! If you see someone asking a question like this again the best course is to guide them towards parameterised queries as it helps prevent SQL Injection Attacks. Any answer that still involved injecting data in to a SQL String is potentially dangerous. Please read SQL Injection Attacks and Tips on How to Prevent Them[^]
Upcoming events: * Glasgow: SQL Server 2005 - XML and XML Query Plans, Mock Objects, SQL Server Reporting Services... Never write for other people. Write for yourself, because you have a passion for it. -- Marc Clifton My website
Colin Angus Mackay wrote:
Please please please! Will people please learn about SQL Injection Attacks!
:laugh: No kidding...
-
But you are still injecting values into the SQL command. If you are injecting values in to the SQL command then attacks are possible. That's why it is called a SQL injection attack.
Upcoming events: * Glasgow: SQL Server 2005 - XML and XML Query Plans, Mock Objects, SQL Server Reporting Services... Never write for other people. Write for yourself, because you have a passion for it. -- Marc Clifton My website
It isn't that hard to add in code to prevent the injection attacks, if I may add :rolleyes:
-
Not another one. Please please please! Will people please learn about SQL Injection Attacks! If you see someone asking a question like this again the best course is to guide them towards parameterised queries as it helps prevent SQL Injection Attacks. Any answer that still involved injecting data in to a SQL String is potentially dangerous. Please read SQL Injection Attacks and Tips on How to Prevent Them[^]
Upcoming events: * Glasgow: SQL Server 2005 - XML and XML Query Plans, Mock Objects, SQL Server Reporting Services... Never write for other people. Write for yourself, because you have a passion for it. -- Marc Clifton My website
I think that you should read what you are linking to yourself. ;) If the values are encoded correctly, there is no problem with concatenating string to create an SQL query. It's only if you do it wrong that the code is subject to SQL injections. Doing it right is not trivial, though, and the methods presented in this thread is for example not at all suitable if you are using an MySQL database. To encode a string for MySQL you would instead replace "\" with "\\", then replace "'" with "\'". So, using parameterised queries is good advice. :) It's not, however, the only way to protect the code against SQL injections.
--- single minded; short sighted; long gone;