Are there any problems with saving values to a database from a text field
that has an apostrophy in it? I am using SQL Server 2000. My notes are not
clear on this, but I seem to remember that if you save a value to a char or
varchar field in the database and it (the text field) contains an apostropy
in it, it can create problems. Does someone know what I am referring to and
if so what are the issues and where can I find more information?
11  2008 
Thank you for replying.
If I understand your reply correctly you're saying it does cause problems.
What problem does it create? What is the nature of it. When I save a value
with a comma in it the database seems to accept it ok, I mean, I can
retrieve it OK and the comma is still there.
Its only with apostrophe's and strings...
The reason is, when your SQL statements execute (such as an insert) a string
is inserted by
INSERT INTO myTable (myString) Values ('myValue')
you use apostrophies to mark the beginning and end of a string. So, with a
value that has a single apostrophe in it, the SQL server things its the end
or beginning of a string.
therefore, if the apostorphe is in there, it causes SQL to bomb. Commas
don't bomb because it just doesn't matter. They are SQL specific like an
apostrophe. The double apostrophe tells it "yeah, this is an apostrophe but
not the end of mys string, please insert the apostrophe in the string"
and sql does... Kinda like using quotes " " in VB Strings.
HTH.
-CJ
"Woody Splawn" <wo***@splawns.com> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl... Thank you for replying.
If I understand your reply correctly you're saying it does cause problems.
What problem does it create? What is the nature of it. When I save a
value with a comma in it the database seems to accept it ok, I mean, I can
retrieve it OK and the comma is still there.
I causes all sorts of problems. At best, your query will only fail, at
worst, you'll end up with an injection attack and a hacked database. If you
don't use Command Parameter objects, you'll forget to do the replace and it
will bite you. I've heard many people claim that they'll always remember to
do this, and every time they forget somewhere. The worst part is that since
many people don't have apostrophes in their names, you may not know about
the bug for a long time. Morover, calling Replace every time you create a
SQL Statement is a waste of resources. IN addition, using Parameters will
have a large benefit over hard coded string values. Trust me on this, use
Paramaters (and if at all possible, do yourself a real favor and renounce
dynamic sql construction in exchange for Stored Procs) ... http://www.knowdotnet.com/articles/storedprocsvb.html
So instead of sql = "SELECT * FROM SomeTable where x = '" & someValue & "'"
Use SELECT * FROM SomeTable where x = @SomeValue"
Then, with your command objects, use cmd.Parameters.Add("@SomeValue",
SqlDbType.Whatever).Value = SomeValue,
it's cleaner, safer, less error prone and faster.
HTH,
Bill
"Woody Splawn" <wo***@splawns.com> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl... Thank you for replying.
If I understand your reply correctly you're saying it does cause problems.
What problem does it create? What is the nature of it. When I save a
value with a comma in it the database seems to accept it ok, I mean, I can
retrieve it OK and the comma is still there.
I'm sorry, earlier I said something like, "When I save a value with an COMMA
in it, the databasse seems to accept it ok". I said comma, but I meant
apostrophy. That is, let's say I have a textbox with the a value in it of
"Don't say no". When I save it, it seems to save OK and when I retrieve the
record back into the Winform it still says "Don't say no". I don't
understand what the problem is.
I am letting the DataAdapter do the work with regard to saving. That is,
when I create the data adapter I select configure data adapter, and then
advance options, Generate update, insert and delete statements. It creates
the code using @ variables. Does this make a difference? Is this why it
appears to be working? Does the problem manifest itself only when I chose
to update in some other manner or is there something I'm missing? therefore, if the apostorphe is in there, it causes SQL to bomb.
When you say it causes SQL to bomb, what specifically happens and when? Are
you saying that if I do an update query under the condidtions you mentioned
that when I try to do the update I will get an exception or error message?
"Woody Splawn" <wo***@splawns.com> wrote in message
news:e6**************@tk2msftngp13.phx.gbl... I'm sorry, earlier I said something like, "When I save a value with an
COMMA in it, the databasse seems to accept it ok". I said comma, but I meant
apostrophy. That is, let's say I have a textbox with the a value in it
of "Don't say no". When I save it, it seems to save OK and when I retrieve
the record back into the Winform it still says "Don't say no". I don't
understand what the problem is.
I am letting the DataAdapter do the work with regard to saving. That is,
when I create the data adapter I select configure data adapter, and then
advance options, Generate update, insert and delete statements. It
creates the code using @ variables. Does this make a difference? Is this why it
appears to be working? Does the problem manifest itself only when I chose
to update in some other manner or is there something I'm missing?
Ok, thats why. Your data adapter alraeady takes care of that stuff for you.
It still generates a SQL statement (because thats just how SQL works) and
replaces values. As stated by william ryan, its always better to use data
adapters and anaything in the .NET framework. So as long as your using DA's
your cool..
therefore, if the apostorphe is in there, it causes SQL to bomb.
When you say it causes SQL to bomb, what specifically happens and when?
Are you saying that if I do an update query under the condidtions you
mentioned that when I try to do the update I will get an exception or error message?
Usually, you just get like an invalid procedure call or invalid statement
syntax. I've personally never seen any attack resulting from apostrophe's.
and yeah, it will throw an exception, bt your using DA's so you don't have
to worry.
Forgive me. I am still somewhat new the Microsoft way of saying and doing
things so I need to ask for clarification. If you don't use Command Parameter objects
I think that you are suggesting that when I do an update to a database (like
SQL Server) and I am using VS.net as my front end, to let VS update it with
command parameters as opposed to some other way. Is this right? If so then
I am on OK ground because this is the only way I really know how to do
things. I mean, what I am doing is this.
I am letting the DataAdapter do the work with regard to saving. That is,
when I create the data adapter I select configure DataAdapter, and then
advance options, Generate update, insert and delete statements. It creates
update
code using @ variables. Is this what you mean?
In the few cases where I may update the database in some other way, I can
write some sort of function or procedure that will check the data for
apostrophe's and replace them with double apostrophes. Is this what VS is
doing with command parameters? These times will be few and I can deal with
that but dealing with it on every text field on every form I'll ever create
seemed extremely onerous.
On Wed, 7 Jan 2004 11:19:49 -0800, "Woody Splawn" <wo***@splawns.com>
wrote: Are there any problems with saving values to a database from a text field
that has an apostrophy in it? I am using SQL Server 2000. My notes are not
clear on this, but I seem to remember that if you save a value to a char or
varchar field in the database and it (the text field) contains an apostropy
in it, it can create problems. Does someone know what I am referring to and
if so what are the issues and where can I find more information?
Nope.. If you're building INSERT statements, replace all single quotes
with two single quotes.
Eg,
Dim szValue As String = "This'll Work Fine"
Dim szSQL = String.Format( _
"INSERT INTO [Table] (Column) VALUES ('{0}')", _
szValue.Replace("'","''")
// CHRIS
It does... what you need to do is replace all your ' 's with double ''
that will take care of it.
"Woody Splawn" <wo***@splawns.com> wrote in message
news:%2****************@TK2MSFTNGP11.phx.gbl... Are there any problems with saving values to a database from a text field
that has an apostrophy in it? I am using SQL Server 2000. My notes are
not clear on this, but I seem to remember that if you save a value to a char
or varchar field in the database and it (the text field) contains an
apostropy in it, it can create problems. Does someone know what I am referring to
and if so what are the issues and where can I find more information?
Hi Woody,
My comment in line.
If you have any concern on this issue, please post here.
Regards,
Peter Huang
Microsoft Online Partner Support
Get Secure! www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.
-------------------- From: "Woody Splawn" <wo***@splawns.com>
References: <#h**************@TK2MSFTNGP11.phx.gbl>
<vv************@corp.supernews.com> <#k**************@TK2MSFTNGP12.phx.gbl>
<#2**************@tk2msftngp13.phx.gbl>Subject: Re: Apostrophys in text field - SQL Server as backend
Date: Wed, 7 Jan 2004 14:18:38 -0800
Lines: 27
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Message-ID: <O2**************@tk2msftngp13.phx.gbl>
Newsgroups: microsoft.public.dotnet.languages.vb
NNTP-Posting-Host: 168.158-60-66-fuji-dsl.static.surewest.net 66.60.158.168
Path:
cpmsftngxa07.phx.gbl!cpmsftngxa06.phx.gbl!TK2MSFTN GP08.phx.gbl!tk2msftngp13.
phx.gblXref: cpmsftngxa07.phx.gbl microsoft.public.dotnet.languages.vb:170825
X-Tomcat-NG: microsoft.public.dotnet.languages.vb
Forgive me. I am still somewhat new the Microsoft way of saying and doing
things so I need to ask for clarification.
If you don't use Command Parameter objects
I think that you are suggesting that when I do an update to a database
(likeSQL Server) and I am using VS.net as my front end, to let VS update it with
command parameters as opposed to some other way. Is this right? If so
thenI am on OK ground because this is the only way I really know how to do
things. I mean, what I am doing is this.
I am letting the DataAdapter do the work with regard to saving. That is,
when I create the data adapter I select configure DataAdapter, and then
advance options, Generate update, insert and delete statements. It creates
update
code using @ variables. Is this what you mean?
Yes, I think you may check what the code .NET generate for you in the
"Windows Form Designer generated code" region
In the few cases where I may update the database in some other way, I can
write some sort of function or procedure that will check the data for
apostrophe's and replace them with double apostrophes. Is this what VS is
doing with command parameters? These times will be few and I can deal with
that but dealing with it on every text field on every form I'll ever create
seemed extremely onerous.
So if you use the method which William suggests .NET will do the convertion
for you.
(i.e. use @SomeValue in your SQL statement)
Hi Woody,
Did you have any concern on this issue?
If so please post in the newsgroup.
Regards,
Peter Huang
Microsoft Online Partner Support
Get Secure! www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.
Hi Woody,
Did you have any concern on this issue?
If so please post in the newsgroup.
Regards,
Peter Huang
Microsoft Online Partner Support
Get Secure! www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: astro |
last post by:
Anyone have suggestions on where to troubleshoot this error?
Background:
-Access 2k v. 9.0.6926 sp3
- front and backend on production server (wiindows 2k)
-accessed via Citrix
-front-end is...
|
by: Andy G |
last post by:
I have a very general question and just need someone to lead me in the right
direction. I am constructing a ASP.NET web form that is called
'Acknowledgement'. My client needs people to read and...
|
by: Beowulf |
last post by:
I'm working on upsizing an application from MS Access MDB -> MDB backend
to MS Access ADP -> SQL Server backend. The application has the ability
to create a new, empty database.
Right now all...
|
by: scsTiger |
last post by:
I am using Access 2000 as the front end and MS SQL 2000 as the backend.
I have a one record form that I set using something like:
strSQL = "SELECT * FROM dbo_WBACCT WHERE...
|
by: Bob Alston |
last post by:
Anyone know of any list of changes required in an Access FE to make the
Access FE work with a SQL backend?
ditto for Access FE working with a MYSQL backend?
Bob
|
by: Jim Devenish |
last post by:
I wish to copy a table on a SQL Server backend to a table on an Access
(.mdb) front end in the simplest way.
I have the following to get the recordset but am seeking something
easier.
Dim...
|
by: Tim Ricard |
last post by:
Good afternoon everyone,
I have created a very robust front end for my backend database that is
essentially an all-round office database used for nearly all non-
accounting transactions. I have...
|
by: joecosmides |
last post by:
I have a microsoft access front end and backend database for multi-
user use. I have the back end located on a server that also is an IIS
webserver. I've created a few ASP pages that pull customer...
|
by: joecosmides |
last post by:
I have a microsoft access front end and backend database for multi-
user use. I have the back end located on a server that also is an IIS
webserver. I've created a few ASP pages that pull customer...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
| |
