473,805 Members | 1,995 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Problem with INSERT Statement

hi
i have made an application using C# that access sql2000.
this application is just used to insert data to the database.
i use something like this in my code:
//
string colmnA = TextBox1.Text;
string comlnB = TextBox2.Text;
string sqlstatment = "INSERT INTO TABLENAME VALUES(" +"'"+colmnA+ "'" + "," +
"'" + colmnB + "'" + ")";

everything was fine till someone have entered the following :
colmnA = "My name'";
colmnB = "Alex";

then the INSERT statement is:
INSERT INTO TABLENAME VALUES('My name'','Alex').
As you see the second " ' " was the problem.
i want to know how to avoid this problem.
Is there is a meean that make the sql to insert the value as "My name'" to
the DB.
and not throw exception about the second " ' ".
Thanks in advance
Nov 17 '05 #1
3 2031
Hi

What you want to do is create a stored procedure that takes in two
parameters eg.

CREATE PROCEDURE InsertRow
@name varchar(50),
@description varchar(100)
AS

INSERT INTO TableName(Table Column1, TableCoulmn2)
Values(@name , @description )

Go

And then in yer c# use a ADO command object with parameters eg.

SqlCommand command = new SqlCommand("Ins ertRow",new SqlConnection ("Your
connection string));
command.Command Type = CommandType.Sto redProcedure;
command.Paramet ers.Add(new SqlParameter("@ name", TextBox1.Text)) ;
command.Paramet ers.Add(new SqlParameter("@ description", TextBox2.Text)) ;
command.Connect ion.Open();
command.Execute Scalar();
command.Connect ion.Close();
That should do ya.

Ian

"alexmaster_200 4" <al************ @discussions.mi crosoft.com> wrote in
message news:28******** *************** ***********@mic rosoft.com...
hi
i have made an application using C# that access sql2000.
this application is just used to insert data to the database.
i use something like this in my code:
//
string colmnA = TextBox1.Text;
string comlnB = TextBox2.Text;
string sqlstatment = "INSERT INTO TABLENAME VALUES(" +"'"+colmnA+ "'" + ","
+
"'" + colmnB + "'" + ")";

everything was fine till someone have entered the following :
colmnA = "My name'";
colmnB = "Alex";

then the INSERT statement is:
INSERT INTO TABLENAME VALUES('My name'','Alex').
As you see the second " ' " was the problem.
i want to know how to avoid this problem.
Is there is a meean that make the sql to insert the value as "My name'" to
the DB.
and not throw exception about the second " ' ".
Thanks in advance

Nov 17 '05 #2
Gav
Why not add:

while(colmnA.In dexOf("'")!= -1)
{
colmnA.Remove(c olmnA.IndexOf(" '"), 1);
}

and of course the same for any other columns

"alexmaster_200 4" <al************ @discussions.mi crosoft.com> wrote in
message news:28******** *************** ***********@mic rosoft.com...
hi
i have made an application using C# that access sql2000.
this application is just used to insert data to the database.
i use something like this in my code:
//
string colmnA = TextBox1.Text;
string comlnB = TextBox2.Text;
string sqlstatment = "INSERT INTO TABLENAME VALUES(" +"'"+colmnA+ "'" + ","
+
"'" + colmnB + "'" + ")";

everything was fine till someone have entered the following :
colmnA = "My name'";
colmnB = "Alex";

then the INSERT statement is:
INSERT INTO TABLENAME VALUES('My name'','Alex').
As you see the second " ' " was the problem.
i want to know how to avoid this problem.
Is there is a meean that make the sql to insert the value as "My name'" to
the DB.
and not throw exception about the second " ' ".
Thanks in advance

Nov 17 '05 #3
What you have is a wide open door to a SQL Injection attack. Imaging if someone set

TextBox2.Text = "';drop database accounts;--"

The result would be the dropping of your accounts database. So the standard way to get round this is to use parameters rather than string concatenation to build the statement - e.g. use SqlParameter objects added to the Parameters collection of your command object and change your SQL statement to take parameters

string sqlstatment = "INSERT INTO TABLENAME VALUES(@col1, @col2)";

In this case you add two parameter objects with the ParameterName set to "@col1" and "@col2" respectively

Regards

Richard Blewett - DevelopMentor
http://www.dotnetconsult.co.uk/weblog
http://www.dotnetconsult.co.uk

hi
i have made an application using C# that access sql2000.
this application is just used to insert data to the database.
i use something like this in my code:
//
string colmnA = TextBox1.Text;
string comlnB = TextBox2.Text;
string sqlstatment = "INSERT INTO TABLENAME VALUES(" +"'"+colmnA+ "'" + "," +
"'" + colmnB + "'" + ")";

everything was fine till someone have entered the following :
colmnA = "My name'";
colmnB = "Alex";

then the INSERT statement is:
INSERT INTO TABLENAME VALUES('My name'','Alex').
As you see the second " ' " was the problem.
i want to know how to avoid this problem.
Is there is a meean that make the sql to insert the value as "My name'" to
the DB.
and not throw exception about the second " ' ".
Thanks in advance

[microsoft.publi c.dotnet.langua ges.csharp]
Nov 17 '05 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
3
4375
Problem with a scheduled job
by: Jason Callas | last post by:
I have a stored procedure that runs as a step in a scheduled job. For some reason the job does not seem to finish when ran from the job but does fine when run from a window in SQL Query. I know the job is not working because the number of rows that are inserted into the table (see code) is considerably less than the manual runnning of it. I have included the code for the stored procedure, the output from the job, and the output from...
Microsoft SQL Server
5
5465
Locking Problem: SQL Server
by: Ritesh | last post by:
Hi All, According to my observation using SP_WHO2 in my database, some INSERT statements are getting blocked by SELECT statements. Though the blocking SELECT statement is having ReadPast hint, i think, it will only read past locked resources but will not guarantee the select statement itself not blocking other statements(in my case Insert). According to my knowledge
Microsoft SQL Server
4
6352
Severe Problem using JDBC PreparedStatement with IBM DB2 Universal JDBC Driver as Type 4
by: Dani | last post by:
Hi everyone Description of the problem: Using a PreparedStatement to write down an integer (int) plus a timestamp for testing purposes. When read out again the integer looks very different. We found that it was shifted three Bytes to the left, i.e. 4 becomes hex 4000000 which is 67108864 in decimal base. This means that the value written and the value read sometimes do not match, which is of course inacceptable for all real world...
DB2 Database
4
2747
Allen Brown's audit log code problem
by: Bradley Burton | last post by:
I'm using Allen Brown's code for audit logging (http://allenbrowne.com/AppAudit.html), but I'm having a problem. My aud table doesn't populate with the tracking info at all. I think it might be a problem with the table set-up. I just can't find the problem. These are the fields in my table: Table1 ID (primary key) AutoNumber
Microsoft Access / VBA
9
1801
Problem with handling table insert from ASP page
by: Jack | last post by:
Hi, I am gathering the input values to a form using Request.form method from the processing page. After all the data is captured, I am building sql statement out of it. Using a response.write statement, I am generating the output of the sql statement which I can ran against the table to insert the row. However, when I am trying to programmatically use the sql statement for the insert, I am having the following error: Error Type:...
ASP / Active Server Pages
2
4977
same trigger problem
by: mob1012 via DBMonster.com | last post by:
Hi All, I wrote last week about a trigger problem I was having. I want a trigger to produce a unique id to be used as a primary key for my table. I used the advice I received, but the trigger is still not working correctly. Here is my code: create trigger emp_update_id BEFORE update on emp_update REFERENCING NEW AS N for each row SET unique_id = Generate_unique();
DB2 Database
22
4332
ExecuteNonQuery - problem
by: b_r | last post by:
Hi, I'm trying to make a simple operation (insert into DB) in VB 2005 and SQL Server. The code is as follows: Dim sConnectionString As String = _ "Data Source=.\SQLEXPRESS;AttachDbFilename=|DataDirectory|\DB.mdf....
Visual Basic .NET
8
5030
Problem with VS2008 editor: How to force insert of tab
by: Red | last post by:
If auto-format is turned off in VS2008, there is apparently no way to indent a line. Under Tools->Options->Text Editor->C#->Formatting, there are three checkboxes. Unchecking those seems to cause this behavior. I'd simply like to have the tab key insert a tab at the beginning of a line. I believe that there were publlished macros for doing this in earlier VS versions, but I expected this to be 'fixed' in VS2008. Yes, I realize someone...
C# / C Sharp
1
2522
INSERT INFO statement problem on ASP page
by: Maklar60 | last post by:
I am attempting to execute an INSERT statement on my page but continually get the following error: Microsoft OLE DB Provider for ODBC Drivers error '80040e14' Incorrect syntax near '<'. /int_code04/myNMLC/insertNewTrackRecord.asp, line 97 I've tested the INSERT stmt both within SQL Server and as a string literal within the page's code with hardcoded values to ensure that the statement works, which is does. But when I assign this...
ASP / Active Server Pages
0
10607
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
C / C++
0
10359
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
Online Marketing
1
10364
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
Windows Server
0
10104
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
General
1
7645
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
Microsoft Access / VBA
0
6875
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
C# / C Sharp
0
5541
Trying to create a lan-to-lan vpn between two differents networks
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
Networking - Hardware / Configuration
0
5677
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET
2
3843
muto222
How to add payments to a PHP MySQL app.
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
PHP

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us