Click here to Skip to main content
15,861,125 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
i have comment textbox.And it is working perfectly.when i enter text in textbox of comment data inserted sucessfully in database table.But if i use 's in writing comment in textbox,it will give me error.I know perfectly that it is error because of 's.what coding is require to solve this problem?


SqlCommand cmd = new SqlCommand("insert into table (name,address,comment) values('" + txtname.text + "','" + txtaddress.text + "','"+txtcomment.text+"')", cnn);


i have found that for this problem.i have to do ..
txt_comment.Text.Replace("'", "''");



but where this replace unction code i have to put ,i don't know.
Posted
Updated 18-Jan-13 19:53pm
v3

Hello Please Dont used this type you Must used Sql Parameter
Like...

SqlCommand cmd = new SqlCommand("insert into table (name,address,comment) values(@name,@address,@comment)", cnn);

cmd.Parameters.AddWithValue(@name, txtname.text);
cmd.Parameters.AddWithValue(@address, txtaddress.text);
cmd.Parameters.AddWithValue(@comment, txtcomment.text);
then execute query ..


i Hope ypur problem will solve if not please give me your comment
 
Share this answer
 
Comments
Member 9511889 19-Jan-13 1:44am    
I know this sqlinjection problem,but my problem is not sqlinjection .my problem is why error comming while useing apostrophy s in comment.For this problem i have found that replace function as shown abow used,but where it is used that i don't know.
rizwan muhammed khan gouri 19-Jan-13 1:57am    
In Your Previous Qurey You Can Create Command Text Dynamicaly 's Comes then Youc Query will be
insert into table (name,address,comment) values('rizwan','codeproject','hello's')
then error comes. that's why we can use parameter. parameter insert dynamically on run time using ado mechanism and problem not arrise.
use this type

String cs = WebConfigurationManager.ConnectionStrings["conm"].ConnectionString;
SqlConnection conn = new SqlConnection(cs);
conn.Open();
SqlCommand cmd = new SqlCommand();
cmd.Connection = conn;
cmd.CommandType = CommandType.text;
cmd.CommandText = "insert into table (name,address,comment) values(@name,@address,@comment)";

cmd.Parameters.Add("@name", SqlDbType.VarChar).Value = txtname.text ;
cmd.Parameters.Add("@address", SqlDbType.VarChar).Value = txtaddress.text;
cmd.Parameters.Add("@comment", SqlDbType.VarChar).Value = txtcomment.text;

cmd.ExecuteNonQuery();
conn.Close();
 
Share this answer
 
v2
Hi,

Very general problem - It is called Sql injuction

Solutions :

1)Don't pass sql query using concatenating string, Always use of command Parameters for your sql query. Because value from users can break your query & it is easily hackable or corrupt your database for more detail you can search about SQL INJUCTION.

2) You can use disconnected architecture.


Please Mark as ans if you get help from it & rate also.
Thanks
Asp.Net/C#.Net Help[^]
Hemant Singh
 
Share this answer
 
Comments
Member 9511889 19-Jan-13 1:42am    
I know this sqlinjection problem,but my problem is not sqlinjection .my problem is why error comming while useing apostrophy s in comment.For this problem i have found that replace function as shown abow used,but where it is used that i don't know.
Nandakishore G N 19-Jan-13 1:49am    
sql takes the string or varchar with ('') single quotes right. the apostrophe s or ('s)
when you pass it to the query the sql thinks that string is closed and next character i.e, s looks as foreign entity and treat it as a threat.therefore, you 'll get the error.
Hemant Singh Rautela 19-Jan-13 3:43am    
You can use it as your code....BUT IT IS NOT RECOMMENDED..

string a = txt_comment.Text.Replace("'", " ");
string b = txtaddress.text.Replace("'", " ");
string c = txtcomment.text.Replace("'", " ");
SqlCommand cmd = new SqlCommand("insert into table (name,address,comment) values('" + a + "','" + b + "','"+c+"')", cnn);

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900