0

One of my names in my data looks like this O'Neil

When I am putting this into my MySQL Query it looks like this 'O'Neil' Unfortunately it reads the ' between the O and causes an error. I Don't want to replace the ', I still want the name to be O'Neil. Can anyone recommend a way to do this?

I'm using C# (.Net).

Thanks.

CM888.

Improve this question

3 Answers 3

Reset to default
3

Jose is right - you should absolutely use parameterized queries.

This avoids:

  • SQL injection attacks
  • Invalid SQL due to quotes etc
  • Issues with date/time and numeric formats

It's also just a generally good idea to separate code from data.

See Bobby Tables for more.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

3

You should use parameterized queries.Answers for this post are examples of parameterized queries.Indirectly you are performing sql Injection. parameterized queries avoids sql injection and moreover it is a good practice too.

Improve this answer

1 Comment

Cheers; So I add mySqlCommand.Parameters.AddWithValue("@", User.name); ?
2

Use the SQL escape character ''.

'O''Neil'

ref : http://www.orafaq.com/faq/how_does_one_escape_special_characters_when_writing_sql_queries

Improve this answer

1 Comment

No, don't try to fix the SQL - move the data out of the SQL in the first place.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.