Click here to Skip to main content
13,251,760 members (65,472 online)
Rate this:
Please Sign up or sign in to vote.
See more:
i have comment textbox.And it is working perfectly.when i enter text in textbox of comment data inserted sucessfully in database table.But if i use 's in writing comment in textbox,it will give me error.I know perfectly that it is error because of 's.what coding is require to solve this problem?
SqlCommand cmd = new SqlCommand("insert into table (name,address,comment) values('" + txtname.text + "','" + txtaddress.text + "','"+txtcomment.text+"')", cnn);
Posted 17-Jan-13 8:41am

1 solution

Rate this: bad
Please Sign up or sign in to vote.

Solution 1

Basically, you need to double it up.

Try something like:

txtcomment.Text.Replace("'", "''");

That is very simplistic and you should research the reasons behind this and come up with a solution that fits your specific needs.
Sergey Alexandrovich Kryukov 17-Jan-13 17:02pm
My 5, for leaving OP some room for further work. :-)
Marcus Kramer 17-Jan-13 17:13pm
adriancs 17-Jan-13 22:11pm
To understand the need of doing this,
Try execute this:

string name = "anyname";
string address = "anyaddress";
string comment = "anycomment'); DROP TABLE IF EXISTS `table`; SELECT ('surprise";

SqlCommand cmd = new SqlCommand("insert into table (name,address,comment) values('" + name + "','" + address + "','" + comment + "')", cnn);

It's called SQL Injection.
Member 9511889 19-Jan-13 1:01am
where this code i have to write?
mark merrens 19-Jan-13 10:03am
It's in the solution. Think about it.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month

Advertise | Privacy |
Web04 | 2.8.171114.1 | Last Updated 17 Jan 2013
Copyright © CodeProject, 1999-2017
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100