none
pronlem with my sqlcommand RRS feed

  • Question

  • Hi everyone can anyone help me about my problem,

    i have a textbox and a button which inserts data to the sqldatabase.  here is the command

     

    Dim cmdcomment As New SqlClient.SqlCommand("INSERT INTO [Feedback] ([Feedback]) VALUES ('" + txtcomment.Text + "')", dbcon)
    

     

     it works fine but when i enter a single quotation mark on the text box everything goes wrong because the value of the textbox is in string and the sqlcommand is also a string

    what should i do?


    • Edited by j-andrew Thursday, September 15, 2011 8:26 AM
    • Moved by Paul Zhou Monday, September 19, 2011 8:12 AM (From:Regular Expressions)
    Thursday, September 15, 2011 8:23 AM

Answers

  • Hello, 

    Replace the singles quotes by 2 singles quotes before insert(single quote is the text delimitor but also escape caracter in SQL).

    string text = txtcomment.Text.Replace("'","''");
    

    Now you should be more careful about SQL injection and use parameters. Take a look to the following link.

    http://msdn.microsoft.com/en-ie/library/ms161953.aspx

    Best regards

     

     

    • Proposed as answer by andersmj Friday, September 16, 2011 3:37 PM
    • Marked as answer by Jackie-SunModerator Monday, September 19, 2011 8:12 AM
    Thursday, September 15, 2011 9:24 AM