Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • World
  • Users
  • Groups
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor
  • Default (No Skin)
  • No Skin
Collapse
Code Project
  1. Home
  2. General Programming
  3. C#
  4. want to allow the user to enter ' but shows error

want to allow the user to enter ' but shows error

Scheduled Pinned Locked Moved C#
databasehelp
6 Posts 4 Posters 0 Views 1 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M Offline
    M Offline
    Mehul_qaz
    wrote on last edited by
    #1

    hi! i want user can enter single cot(')in textbox. i m using SQL yog but it display error as the insert query become ('dgfd dfg ddf_'','','',8) u can see here actually there are for paramerte but it shows error

    B G M 3 Replies Last reply
    0
    • M Mehul_qaz

      hi! i want user can enter single cot(')in textbox. i m using SQL yog but it display error as the insert query become ('dgfd dfg ddf_'','','',8) u can see here actually there are for paramerte but it shows error

      B Offline
      B Offline
      Blue_Boy
      wrote on last edited by
      #2

      Use Replace function from C# code. Something like:

      TextBox1.Text.Replace("'","''");

      I Love T-SQL "Don't torture yourself,let the life to do it for you." If my post helps you kindly save my time by voting my post.

      G 1 Reply Last reply
      0
      • M Mehul_qaz

        hi! i want user can enter single cot(')in textbox. i m using SQL yog but it display error as the insert query become ('dgfd dfg ddf_'','','',8) u can see here actually there are for paramerte but it shows error

        G Offline
        G Offline
        Guffa
        wrote on last edited by
        #3

        Your application is wide open for SQL injection attacks. Please instruct your users not to enter this in the text field:

        ','','',8);drop table Users;--

        Alternatively, you can correct the code. Use parameterised queries instead of concatenating the data into the query.

        Despite everything, the person most likely to be fooling you next is yourself.

        1 Reply Last reply
        0
        • B Blue_Boy

          Use Replace function from C# code. Something like:

          TextBox1.Text.Replace("'","''");

          I Love T-SQL "Don't torture yourself,let the life to do it for you." If my post helps you kindly save my time by voting my post.

          G Offline
          G Offline
          Guffa
          wrote on last edited by
          #4

          Note: That is the correct way to escape a string for some specific databases, like MS SQL Server and MS Access. For other databases you need to do it differently. It's important to use the correct escaping method for the specific database, otherwise the code is still wide open for SQL injections. If you use a parameterised query instead, there is no need for escaping.

          Despite everything, the person most likely to be fooling you next is yourself.

          B 1 Reply Last reply
          0
          • M Mehul_qaz

            hi! i want user can enter single cot(')in textbox. i m using SQL yog but it display error as the insert query become ('dgfd dfg ddf_'','','',8) u can see here actually there are for paramerte but it shows error

            M Offline
            M Offline
            musefan
            wrote on last edited by
            #5

            well the solution you should take, and not just to solve you issue but make it more secure, is to use parameters[^] with the sql queries

            Life goes very fast. Tomorrow, today is already yesterday.

            1 Reply Last reply
            0
            • G Guffa

              Note: That is the correct way to escape a string for some specific databases, like MS SQL Server and MS Access. For other databases you need to do it differently. It's important to use the correct escaping method for the specific database, otherwise the code is still wide open for SQL injections. If you use a parameterised query instead, there is no need for escaping.

              Despite everything, the person most likely to be fooling you next is yourself.

              B Offline
              B Offline
              Blue_Boy
              wrote on last edited by
              #6

              I agree with you. I just didn't have enought time to explain more in my first reply of this question. I appreciate your additional answer.

              I Love T-SQL "Don't torture yourself,let the life to do it for you." If my post helps you kindly save my time by voting my post.

              1 Reply Last reply
              0
              Reply
              • Reply as topic
              Log in to reply
              • Oldest to Newest
              • Newest to Oldest
              • Most Votes

              • Login
              • Don't have an account? Register
              • Login or register to search.
              • First post
                Last post
              0
              • Categories
              • Recent
              • Tags
              • Popular
              • World
              • Users
              • Groups