Click here to Skip to main content
Rate this: bad
good
Please Sign up or sign in to vote.
See more: C# ASP.NET
i have comment textbox.And it is working perfectly.when i enter text in textbox of comment data inserted sucessfully in database table.But if i use 's in writing comment in textbox,it will give me error.I know perfectly that it is error because of 's.what coding is require to solve this problem?
 

SqlCommand cmd = new SqlCommand("insert into table (name,address,comment) values('" + txtname.text + "','" + txtaddress.text + "','"+txtcomment.text+"')", cnn);
 
i have found that for this problem.i have to do ..
txt_comment.Text.Replace("'", "''");
 

but where this replace unction code i have to put ,i don't know.
Posted 18-Jan-13 19:11pm
Edited 18-Jan-13 19:53pm
v3
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 2

Hello Please Dont used this type you Must used Sql Parameter
Like...
 
SqlCommand cmd = new SqlCommand("insert into table (name,address,comment) values(@name,@address,@comment)", cnn);
 
cmd.Parameters.AddWithValue(@name, txtname.text);
cmd.Parameters.AddWithValue(@address, txtaddress.text);
cmd.Parameters.AddWithValue(@comment, txtcomment.text);
then execute query ..
 

i Hope ypur problem will solve if not please give me your comment
  Permalink  
Comments
Member 9511889 at 19-Jan-13 1:44am
   
I know this sqlinjection problem,but my problem is not sqlinjection .my problem is why error comming while useing apostrophy s in comment.For this problem i have found that replace function as shown abow used,but where it is used that i don't know.
rizwan muhammed khan gouri at 19-Jan-13 1:57am
   
In Your Previous Qurey You Can Create Command Text Dynamicaly 's Comes then Youc Query will be
insert into table (name,address,comment) values('rizwan','codeproject','hello's')
then error comes. that's why we can use parameter. parameter insert dynamically on run time using ado mechanism and problem not arrise.
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 3

use this type
 
String cs = WebConfigurationManager.ConnectionStrings["conm"].ConnectionString;
SqlConnection conn = new SqlConnection(cs);
conn.Open();
SqlCommand cmd = new SqlCommand();
cmd.Connection = conn;
cmd.CommandType = CommandType.text;
cmd.CommandText = "insert into table (name,address,comment) values(@name,@address,@comment)";

cmd.Parameters.Add("@name", SqlDbType.VarChar).Value = txtname.text ;
cmd.Parameters.Add("@address", SqlDbType.VarChar).Value = txtaddress.text;
cmd.Parameters.Add("@comment", SqlDbType.VarChar).Value = txtcomment.text;

cmd.ExecuteNonQuery();
conn.Close();
  Permalink  
v2
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 1

Hi,
 
Very general problem - It is called Sql injuction
 
Solutions :
 
1)Don't pass sql query using concatenating string, Always use of command Parameters for your sql query. Because value from users can break your query & it is easily hackable or corrupt your database for more detail you can search about SQL INJUCTION.
 
2) You can use disconnected architecture.
 

Please Mark as ans if you get help from it & rate also.
Thanks
Asp.Net/C#.Net Help[^]
Hemant Singh
  Permalink  
Comments
Member 9511889 at 19-Jan-13 1:42am
   
I know this sqlinjection problem,but my problem is not sqlinjection .my problem is why error comming while useing apostrophy s in comment.For this problem i have found that replace function as shown abow used,but where it is used that i don't know.
Nandakishorerao at 19-Jan-13 1:49am
   
sql takes the string or varchar with ('') single quotes right. the apostrophe s or ('s)
when you pass it to the query the sql thinks that string is closed and next character i.e, s looks as foreign entity and treat it as a threat.therefore, you 'll get the error.
hemantrautela at 19-Jan-13 3:43am
   
You can use it as your code....BUT IT IS NOT RECOMMENDED..
 
string a = txt_comment.Text.Replace("'", " ");
string b = txtaddress.text.Replace("'", " ");
string c = txtcomment.text.Replace("'", " ");
SqlCommand cmd = new SqlCommand("insert into table (name,address,comment) values('" + a + "','" + b + "','"+c+"')", cnn);

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
0 OriginalGriff 369
1 Maciej Los 208
2 George Jonsson 144
3 Richard MacCutchan 140
4 Dave Kreskowiak 130


Advertise | Privacy | Mobile
Web04 | 2.8.140709.1 | Last Updated 19 Jan 2013
Copyright © CodeProject, 1999-2014
All Rights Reserved. Terms of Service
Layout: fixed | fluid