472,951 Members | 2,204 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > c# / c sharp > questions > parse string from c# to stored procedure

Join Bytes to post your question to a community of 472,951 software developers and data experts.

Parse string from C# to stored procedure

Dear All Experts

I faced a problem which cannot solve

In C#, I am using SqlParameter to store the input parameter of stored
procedure with their value

Then in stored procedure, we have 2 style

First, run the SQL normal, e.g.

INSERT INTO Table1 (field1, field2, @param1, @param2)

Another is using EXECUTE sp_executesql, e.g.

SET @nvchSQL = N'INSERT INTO Table1(field1, field2, ' + @param1 + ', ' +
@param2 +')'

If the parameter contains single quote, the first one method is no problem,
but error will occur in method two
If I replace the single quote to two single quote, both can run correct, but
the field value in first method will contains two single quote

I dont want to replace the single quote in stored procedure since it is very
developer dependance, if the developer havent' replace the single quote, the
stored procedure maybe failed. And I would like to solve this problem in
programming level, said write a class to solve this problem, and all
developers will use that class no matter the stored procedure in first or
second format

Thanks
Nov 7 '06 #1
4 2649
More a SQL point than a C# one, but if you are using sp_executesql you
should be using parameters *inside* the dynamic sql. Note that sp_executesql
accepts a number of parameters: the query (sql), the parameter declaration
(like the parameter list to an sp), and then the ordered values for each
parameter value.

E.g. (unchecked)
EXEC sp_excecutesql N'select @param1, @param2', N'@param1 int, @param2
varchar(20)', 5, 'test'

This then allows you to safely pass unescaped values into the dynamic sql
(put your sp params in place of the literals). It also allows re-use of the
query plan, without any danger of injection.

Marc
Nov 7 '06 #2
Better example; note that the parameter names don't have to match, but there
is no problem if they do - they are scoped separately. Here the "outer"
parameters would typically be your SP parameters.

DECLARE @outer_param1 int, @outer_param2 varchar(20)
SELECT @outer_param1 = 5, @outer_param2 = 'injection '' attempt'

EXEC sp_executesql
N'select @inner_param1, @inner_param2',
N'@inner_param1 int, @inner_param2 varchar(20)',
@outer_param1, @outer_param2

Marc
Nov 7 '06 #3
wor~ thanks Marc~

Let me try this method~

thanks~

"Marc Gravell" <ma**********@gmail.comwrote in message
news:OO**************@TK2MSFTNGP03.phx.gbl...
Better example; note that the parameter names don't have to match, but
there
is no problem if they do - they are scoped separately. Here the "outer"
parameters would typically be your SP parameters.

DECLARE @outer_param1 int, @outer_param2 varchar(20)
SELECT @outer_param1 = 5, @outer_param2 = 'injection '' attempt'

EXEC sp_executesql
N'select @inner_param1, @inner_param2',
N'@inner_param1 int, @inner_param2 varchar(20)',
@outer_param1, @outer_param2

Marc


Nov 8 '06 #4
No problem

Nov 8 '06 #5
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

18
Unwanted Escape Codes In String...
by: Steve Litvack | last post by:
Hello, I have built an XMLDocument object instance and I get the following string when I examine the InnerXml property: <?xml version=\"1.0\"?><ROOT><UserData UserID=\"2282\"><Tag1...
C# / C Sharp
1
Can't get a string from SQL query
by: Andrew Morton | last post by:
I've got a stored procedure which works as expected using Run Stored Procedure in VS.NET:- ----------------------------------------------------------- ALTER PROCEDURE dbo.ValidateUser @Username...
.NET Framework
3
Parse error a in short stored procedure : What's wrong ?
by: Bruno BAGUETTE | last post by:
Hello, I have a PL/PGSQL stored procedure that makes me mad currently... (The stored procedure is a procedure that simulates a materialized view) It complains about a parse error when I call...
PostgreSQL Database
3
How to pass stored procedure as string to another method?
by: Assimalyst | last post by:
Hi, I have two methods. In one i would like to create a string from a stored procedure to pass to the second which populates a datagrid. private void method() { string sqlString =...
C# / C Sharp
2
stored procedure not accepting data string more than 1024 bytes
by: Roger | last post by:
I have a stored procedure running on DB2 V7 Z/os calling a COBOL program to do some inserts. The stored procedure have 3 input columns and one column is of varchar(32648) The stored procedure is...
DB2 Database
0
urgent : stored procedure not accepting data string more than 1024 bytes
by: Roger | last post by:
have a stored procedure running on DB2 V7 Z/os calling a COBOL program to do some inserts. The stored procedure have 3 input columns and one column is of varchar(32648) The stored procedure is...
DB2 Database
1
AdrianH
How to Parse a File in C
by: AdrianH | last post by:
Assumptions I am assuming that you know or are capable of looking up the functions I am to describe here and have some remedial understanding of C programming. FYI Although I have called this...
C / C++
13
I want to parse @ArrayOfDays into @d1 through @d5
by: bobc | last post by:
In my stored procedure, I want to parse @ArrayOfDays into @d1 through @d5. @ArrayOfDays is a varchar input parameter containing, for example, "1.7.21.25.60." - five elements. Most active...
Microsoft SQL Server
15
long string to sql db
by: cj | last post by:
I've got a long string to be written to a field in a sql db table via stored procedure. For some reason I find only 258 chars are being written. Any ideas? relevant bits of my VB2005 code: ...
Visual Basic .NET
2
isladogs
Access Europe meeting on Wed 6 Sept - Database Analyzer and other tools
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Sept 2023 starting at 18:00 UK time (6PM UTC+1) and finishing at about 19:15 (7.15PM) The start time is equivalent to 19:00 (7PM) in Central...
Microsoft Access / VBA
0
React to native button blinking effect
by: lllomh | last post by:
Define the method first this.state = { buttonBackgroundColor: 'green', isBlinking: false, // A new status is added to identify whether the button is blinking or not } autoStart=()=>{
Software Development
0
How to calculate date of retirement from date of birth
by: Mushico | last post by:
How to calculate date of retirement from date of birth
Data Management
2
isladogs
Access Europe meeting on Wed 4 Oct - The future of Access
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 4 Oct 2023 starting at 18:00 UK time (6PM UTC+1) and finishing at about 19:15 (7.15PM) The start time is equivalent to 19:00 (7PM) in Central...
Microsoft Access / VBA
0
How to find best mobile app development company in usa
by: Aliciasmith | last post by:
In an age dominated by smartphones, having a mobile app for your business is no longer an option; it's a necessity. Whether you're a startup or an established enterprise, finding the right mobile app...
Mobile Development
0
tracyyun
Can faster file sharing be achieved by connecting computers simultaneously via WiFi and LAN cables
by: tracyyun | last post by:
Hello everyone, I have a question and would like some advice on network connectivity. I have one computer connected to my router via WiFi, but I have two other computers that I want to be able to...
Networking - Hardware / Configuration
2
Energy Model code modification to account for year dependent interest rate
by: giovanniandrean | last post by:
The energy model is structured as follows and uses excel sheets to give input data: 1-Utility.py contains all the functions needed to calculate the variables and other minor things (mentions...
Python
3
NeoPa
VBA Class Basics
by: NeoPa | last post by:
Introduction For this article I'll be using a very simple database which has Form (clsForm) & Report (clsReport) classes that simply handle making the calling Form invisible until the Form, or all...
Microsoft Access / VBA
1
Report value list
by: Teri B | last post by:
Hi, I have created a sub-form Roles. In my course form the user selects the roles assigned to the course. 0ne-to-many. One course many roles. Then I created a report based on the Course form and...
Microsoft Access / VBA

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2023
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!