how to add single quotes to a string

Question

0.00/5 (No votes)

See more:

i am trying to make sql query and i want to add single quotes to query but it don't work :(

C#

string quarry = "Select * from essayT where (EsId=EsId)  ";
            if (TextBox1.Text != "")
            {
                string strReplace = TextBox1.Text.Replace(' ', '%');
                quarry = quarry + "And ( EsTittleF like N'%" + strReplace + "%')";
    
            }

in this example i try to get this query

Select * from essayT where (EsId=EsId) And (EsTittlef like '%textbox1.text%' )

i cant insert single quotes to string
plz help tnx guys:)

Posted 24-Apr-14 1:08am

farham_heidari

Updated 24-Apr-14 1:43am

v4

Add a Solution

Comments

[no name] 24-Apr-14 7:22am

http://stackoverflow.com/questions/254009/in-c-add-quotes-around-string-in-a-comma-delimited-list-of-strings

[no name] 24-Apr-14 7:23am

http://www.codeproject.com/Questions/456183/APPEND-SINGLE-QUOTE-WITH-VALUES-IN-STRING-BUILDER

4 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

OriginalGriff · Answer 1 · 2014-04-24T01:26:00

Solution 4

Don't try to do it like that: Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.

C#

string strSelect = @"SELECT * FROM essayT WHERE EsTittleF LIKE '%' + @SS + '%'";
using (SqlCommand cmd = new SqlCommand(strSelect, con))
    {
    cmd.Parameters.AddWithValue("@SS", Textbox1.Text);

Posted 24-Apr-14 1:26am

OriginalGriff

Comments

farham_heidari 24-Apr-14 7:42am

i am checking more than one textbox so i realy don't know which of them will be fill by user ... i can't use sql parameters

OriginalGriff 24-Apr-14 7:47am

"i can't use sql parameters"
Why not? It's the same thing as using the textbox content.
Plus, if you don't use SQL parameters, then along comes me (or your best mate) and deletes your database by typing in the textbox...

farham_heidari 24-Apr-14 11:00am

i am a littler confused ... plz help me
i have a class name db for select and link to my data base the syntax is
DataTable dtessay = db.Select("Select * from essayT where (EsId=EsId)", CommandType.Text);

i want to make a search in essay table how can i generate a good query ????????

OriginalGriff 24-Apr-14 11:18am

Why is your WHERE clause like that? It's the same as not having a WHERE at all...since the EsId column will always match the value in the EsId column... :laugh:

Doing it like that is dangerous. Seriously dangerous. When you build an SQL query by including a TextBox in the SELECT string:
string s = "Select * from essayT where (EsId=EsId) And ( EsTittleF like N'%" + TextBox1.Text + "%')";";
You hand over control of your db to anyone you can type in the text box.
Back up your database and enter this in the textbox:
x');DROP TABLE essayT;--
When you run your query, the SQL that is passed through is:
Select * from essayT where (EsId=EsId) And (EsTittleF like N'%x');DROP TABLE essayT;--%')
Which SQL sees as three separate commands:
A SELECT for rows that end with "x"
A delete command for your table
A comment
So it does each of those in sequence. This is called SQL Injection and it is no joke: people do do this just to see what will happen.

If you do not change your code to use parameterised queries, then at some point, someone will try it, and it will work...

So change your db class to let you use parameters. If you don't, you had better get very, very good at doing backups. Because you *are* going to need them.

sankarsan parida · Answer 2 · 2014-04-24T01:25:00

Solution 2

see the following code

string strReplace = TextBox1.Text.Replace("'", "%");

Posted 24-Apr-14 1:25am

sankarsan parida

_Asif_ · Answer 3 · 2014-04-24T01:26:00

Solution 3

Try changing below line

quarry = quarry + "And ( EsTittleF like N%'" + strReplace + "%')";

with this

quarry = quarry + "And ( EsTittleF like N'%" + strReplace + "%')";

Posted 24-Apr-14 1:26am

_Asif_

Comments

farham_heidari 24-Apr-14 7:41am

it didn't work :(

**Dnyaneshwar**@Pune · Answer 4 · 2014-04-24T01:22:00

Solution 1

Refer
http://stackoverflow.com/questions/254009/in-c-add-quotes-around-string-in-a-comma-delimited-list-of-strings[^]

Posted 24-Apr-14 1:22am

Dnyaneshwar@Pune

Comments

[no name] 24-Apr-14 7:24am

http://www.codeproject.com/Questions/456183/APPEND-SINGLE-QUOTE-WITH-VALUES-IN-STRING-BUILDER