How to save string with quotation mark

Question

2.14/5 (3 votes)

See more:

Hi frds,
I have problem while save the string with quotation mark like 30's Cotton. I want to save this string.

My save query

SqlCommand com = new SqlCommand("insert into Table_Name values('" + textBox57.Text +"')", con);

but i got error. how can i solve this error.
Please reply me as soon as possible.
Thank you

Posted 6-Nov-15 18:21pm

Mekalamani

Add a Solution

Comments

Gautham Prabhu K 7-Nov-15 10:55am

Can you share the error message you got?
Its little hard to guess what went wrong?

4 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

jgakenhe · Answer 1 · 2015-11-06T18:37:00

I find it best to use HTML Encode and Decode. In fact, for security reasons, you should always use HTMLEncode and HTMLDecode when saving large areas of text to stop XSS scripting and SQL Injection.

C#

SqlCommand com = new SqlCommand("insert into Table_Name values('" +  Server.HtmlEncode(textBox57.Text +"')", con));

To Save to Database:
https://msdn.microsoft.com/en-us/library/w3te6wfz%28v=vs.110%29.aspx

To Display from Database:
https://msdn.microsoft.com/en-us/library/7c5fyk1k%28v=vs.110%29.aspx

Suvendu Shekhar Giri · Answer 2 · 2015-11-06T18:35:00

Your code is vulnerable to SQL Injection.[^]
You can prevent sql injection as well as solve your problem by using either Stored Procedure or Parameterized Query.

Try this-

SQL

SqlCommand com = new SqlCommand("insert into Table_Name values(@MyValue)", con);
cmd.Parameters.AddWithValue("@MyValue", textBox57.Text);

Check following article for further details-
Using Parameterized queries to prevent SQL Injection Attacks in SQL Server[^]

Hope, it helps :)

**Debojyoti Saha** · Answer 3 · 2015-11-06T18:38:00

Use SQL Parameter to solve the issue
Parameter can send your exact code to sql
like

SQL

insert into MyTable values (@id, @name)

And

C#

int id = 1;
string name = "30's Cotton";
SqlCommand command = new SqlCommand(commandString, connection);
command.Parameters.AddWithValue("id", id);
command.Parameters.AddWithValue("name", name);
command.ExecuteNonQuery();

--
Happy Codding

Anisuzzaman Sumon · Answer 4 · 2015-11-06T18:42:00

Solution 4

Use double single quote. Example given below

SQL

insert into [tbl_Test]
values(2,'30''s')

Posted 6-Nov-15 18:42pm

Anisuzzaman Sumon

How to save string with quotation mark

4 solutions

Solution 2

Solution 1

Solution 3

Solution 4

Add your solution here

Preview 0