0

I have an html editor and I am trying to insert the html it generates into the database and then retrieve it in another page where is the SQL table. I am using a table with one text field with asp 3.5. Here is the code: 

MySqlConnection con = new MySqlConnection(@"Connection String  ");//I've tested the connection string and its working fine

MySqlCommand cmd = new MySqlCommand("INSERT INTO ins (tes) VALUES ('" + Editor1.Content + "')", con);

con.Open();
cmd.ExecuteNonQuery();
con.Close();

This is the error I get:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'font-size: 18pt; line-height: 115%; font-family: "arial","sans-serif";'>Whatever' at line 1

How can this be done? Thanks in advance.

Improve this question
1
  • Could you be more precise and indicate what goes wrong exactly ?? Commented Apr 19, 2011 at 10:32

3 Answers 3

Reset to default
2

I think you should use parametrized query instead, and never trust user data entry.please what is the type of tes, and could you clarify what is the error or the exception?

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

could you explain more please , and tes is a text
i mean parametrized query guarantee no sql injection , and no problems from the special characters. weblogs.asp.net/cumpsd/archive/2004/04/05/107456.aspx en.wikipedia.org/wiki/SQL_injection
0

And you open yourself to a lot of SQL injection. Data coming from user should alwyas be checked and sanitized before ending up in the database.

Besides, using ASP.NET you need to remove any HTML tags from the postback because the framework checks for possible HTML injection coming from the browser.

After removing the tags (or replacing the < by something like &lt;) and converting back in the server, you can use something like:

MySqlCommand cmd = new MySqlCommand("INSERT INTO ins (tes) VALUES ('" + Editor1.Content.Replace("'", "''") + "')", con);
con.Open();
cmd.ExecuteNonQuery();
con.Close();

Although you should make parametrized queries.

Improve this answer

Comments

0

Something like this might work:

MySqlCommand cmd = new MySqlCommand("INSERT INTO ins (tes) VALUES (@text)", con);

cmd.Parameters.Add("@text", SqlDbType.Text);
cmd.Parameters["@text"].Value = txtTextField.Text;

con.Open();
cmd.ExecuteNonQuery();
con.Close();
Improve this answer

1 Comment

yeah , you can use similar code (parametrized query) for mysql, just the syntax will be a little different, they use (?) instead of (@) to indicate that is a parameter.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.