best practive for inserting ' and " chars on database

Lum,

You actually shouldn't be doing it at all. When you have strings that
you need to embed in your sql statements, create a parameterized query, and
then pass the string to the parameter object itself. The provider will be
responsible for handling the correct quoting for you.

It also adds security to your system overall (you won't be subject to
SQL injection attacks).

Hope this helps.
--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard.caspershouse.com
"Luminal" <luminal_NOSPAM@hotpop_NOSPAM.com> wrote in message
news:O0**************@TK2MSFTNGP09.phx.gbl...

greetings

i'm developing an C# application using Access as database and I'm having
problems inserting data containing the ' char and the " char. What is the
best practice to insert this chars on database?

TIA

Lum

Hi,

wel, I think this helps, but can you give a little example or article
about parameterized queries?

Thanks

Lum

Nicholas Paldino [.NET/C# MVP] wrote:

Lum,

You actually shouldn't be doing it at all. When you have strings that
you need to embed in your sql statements, create a parameterized query, and
then pass the string to the parameter object itself. The provider will be
responsible for handling the correct quoting for you.

It also adds security to your system overall (you won't be subject to
SQL injection attacks).

Hope this helps.

Luminal <luminal_NOSPAM@hotpop_NOSPAM.com> wrote:

wel, I think this helps, but can you give a little example or article
about parameterized queries?

If you look up SqlCommand.Parameters in MSDN you'll find an example
there. If you're not using SQL Server, look up the equivalent for your
provider.

--
Jon Skeet - <sk***@pobox.com>
http://www.pobox.com/~skeet
If replying to the group, please do not mail me too