1

I follow the syntax of

INSERT INTO Table1
VALUES (value1, value2, value3…)

This has worked fine so far. But now I have some values that contain normal English text like "I'm going home". The ' character ruins the SQL command in C#. I have written the following:

command.CommandText = "INSERT INTO Bio VALUES ('" + name + "','"I'm going home" + "');

evaluates to

INSERT INTO Bio VALUES ('Peter','I'm going home')

which obviously will not work. How do I make sure special character will not ruin the SQL statements?

Improve this question

5 Answers 5

Reset to default
8

Use SqlParameter for heaven's sake. Otherwise your program will be vulnerable to SQL Injection. It will also solve your problem with the special characters.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

In addition to that, parameterized queries are more likely to benefit from optimization - precompiling, server side caching, etc.
Thank you. This is the obvious answer.
4

Learn about parameterized queries for your provider. They exists for Odbc, OleDb, Sql, etc.

command.CommandText = "INSERT INTO Bio Values (@name, @text)";
command.Parameters.Add(/* appropriate param type for your provider */); // add for @name, @text, etc.
// execute query
Improve this answer

1 Comment

I have used them before. But now I understand their purpose.
1

Use two single quotes whenever there is a single quote you want to escape

Also instead of building your queries like this, you should use parameterized queries in a language of your choice. Escaping the characters yourself opens the door for SQL Injections.

Improve this answer

Comments

1

Usually you can escape a single quote by screening with another one. For example the following is a valid statement

INSERT INTO myTable (Column1) VALUES ('Hello I''m Jack');

However I suggest you using parameters. 

command.CommandText = "INSERT INTO Bio VALUES (@Name, @OtherValue)";
command.Parameters.AddWithValue("Name", name);
command.Parameters.AddWithValue("OtherValue", "I'm going home");

One addition point in favor of using parameters is that you are free from burden of formatting and other stuff. I mean date values, uniqueidentifiers, etc.

Improve this answer

Comments

-1

I do use 

HttpUtility.HtmlEncode(text)

It makes all that SQL injection stuff disappear, and it seems easier than to use parameters. Don't forget to use

HttpUtility.HtmlDecode(text)

to get your input back in the form you received it

Improve this answer

2 Comments

See Give me parameterized SQL, or give me death. Parameters are not difficult - look at @Anthony Pegram's example. If you find ADO.NET verbose, consider using an ORM.
You destroy the purity of the data. Data must be independent from the application that is using it. First name O'Connel must be O'Connel, not O'Connel. It further may be used by desktop application, queried via WSDL/REST API, aggregated and analyzedt, etc.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.