Daves wrote:
... here I could do some ContentString.R eplace() functions but I
thought maybe there would be a simple one line to do the job eg.
String.Format() ? ...
SQLString = "UPDATE Content='" + ContentString + "'" WHERE ...";
myCommand = new OleDbCommand(SQ LSave, myConnection);
myCommand.Execu teNonQuery();
As Patrice mentioned, you are having problems because you are ignoring
some Best Practices for building applications in .NET. Ideally you
should be using stored procedures:
myCommand = new SqlCommand("sp_ ContentUpdate", myConnection);
myCommand.Param eters.Add("@Con tentString", contentString);
myCommand.Execu teNonQuery();
Ad hoc SQL in your code is a Bad Thing. If you absolutely must use it,
you should at least use parameterized sql:
SQLString = "UPDATE Content set ContentString = @ContentString WHERE
....";
myCommand = new SqlCommand(SQLS tring , myConnection);
myCommand.Param eters.Add("@Con tentString", contentString);
myCommand.Execu teNonQuery();
No more formatting your strings off the page, no more SQL Injection
attacks against your site. Check out
http://www.uberasp.net/getarticle.aspx?id=46 for more info.
Good Luck!
Jason
http://www.expatsoftware.com/