473,378 Members | 1,454 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > visual basic .net > questions > escape the apostrophe

Join Bytes to post your question to a community of 473,378 software developers and data experts.

ESCAPE the apostrophe


I have been looking for how to INSERT text with an apostrophe in it into
SQL example:

dim TEXT as string
text = "TEST'S"
INSERT INTO tbl_Test (String) VALUSES('" & TEXT & "')"

This doesn't crash my program but it give me a error and doesn't insert
the string correctly.

Does anyone know the escape char in SQL, i tried &apos, and ESCAPE '/',
with a replace(mystring, "'", "/'")

Any help would be great thanks
Tom
*** Sent via Developersdex http://www.developersdex.com ***
Dec 28 '05 #1
5 13457

Have you tried escaping it with another ', i.e. something like

....VALUES('" & strText.Replace("'", "''") & "')"

Or use a SqlCommand object and add the strings using
parameter objects without escaping them.

?

/JB

On Wed, 28 Dec 2005 07:10:58 -0800, Thomas Beyerlein <tb***@yahoo.com>
wrote:

I have been looking for how to INSERT text with an apostrophe in it into
SQL example:

dim TEXT as string
text = "TEST'S"
INSERT INTO tbl_Test (String) VALUSES('" & TEXT & "')"

This doesn't crash my program but it give me a error and doesn't insert
the string correctly.

Does anyone know the escape char in SQL, i tried &apos, and ESCAPE '/',
with a replace(mystring, "'", "/'")

Any help would be great thanks
Tom
*** Sent via Developersdex http://www.developersdex.com ***


Dec 28 '05 #2
"Thomas Beyerlein" <tb***@yahoo.com> schrieb:
I have been looking for how to INSERT text with an apostrophe in it into
SQL example:

dim TEXT as string
text = "TEST'S"
INSERT INTO tbl_Test (String) VALUSES('" & TEXT & "')"

This doesn't crash my program but it give me a error and doesn't insert
the string correctly.

Does anyone know the escape char in SQL, i tried &apos, and ESCAPE '/',
with a replace(mystring, "'", "/'")


Use a parameterized command object instead, which will perform escaping
automatically.

Sample:

<URL:http://www.vb-tips.com/?ID=550279ec-6767-44ff-aaa3-eb8b44af0137>

--
M S Herfried K. Wagner
M V P <URL:http://dotnet.mvps.org/>
V B <URL:http://classicvb.org/petition/>

Dec 28 '05 #3
Thomas,
As Herfried suggests.

Use parameterized command objects! As it avoids SQL injection attacks!

http://msdn.microsoft.com/msdnmag/is.../SQLInjection/

Of course parameterized command objects also escapes apostrophe's
correctly...

--
Hope this helps
Jay [MVP - Outlook]
..NET Application Architect, Enthusiast, & Evangelist
T.S. Bradley - http://www.tsbradley.net
"Thomas Beyerlein" <tb***@yahoo.com> wrote in message
news:OG**************@TK2MSFTNGP11.phx.gbl...
|
| I have been looking for how to INSERT text with an apostrophe in it into
| SQL example:
|
| dim TEXT as string
| text = "TEST'S"
| INSERT INTO tbl_Test (String) VALUSES('" & TEXT & "')"
|
| This doesn't crash my program but it give me a error and doesn't insert
| the string correctly.
|
| Does anyone know the escape char in SQL, i tried &apos, and ESCAPE '/',
| with a replace(mystring, "'", "/'")
|
| Any help would be great thanks
| Tom
|
|
| *** Sent via Developersdex http://www.developersdex.com ***
Dec 28 '05 #4
Jay,

As there is one thing that Bill Vaughn agree about (not the only thing) than
is it that this article that you shows should not be on MSDN. For us it is
an invitation for attacks.

As well I have seen often told, is that the parameter does prevent attacks.
In my opinion was there a flauw in SQL server 2000 that was less easy with
parameters and therefore should be used. AFAIK is that now protected by
Servicepack 3.

In the article that you show, I have often tried to find why a parameter
would prevent the attack. I never got it from this article, for me it only
explains how you can do an attack if you have the rights to give a text
command to a SQLserver. A parameter does than protect nothing.

For me the parameter is worthfull because is seamless connects .Net with
databaseservers.

However, maybe can you point me on the part of the article where it shows
that a parameter protects against attacks (not only by telling that).

Cor
Dec 28 '05 #5
Cor,
The section titled "Avoid Dynamic SQL" explains why parameterized SQL
prevents it.

If you need an explanation of how parameterized SQL works verses dynamic
SQL, on the server, you may want to ask "down the hall" in one of the SQL
newsgroups.

--
Hope this helps
Jay [MVP - Outlook]
..NET Application Architect, Enthusiast, & Evangelist
T.S. Bradley - http://www.tsbradley.net
"Cor Ligthert [MVP]" <no************@planet.nl> wrote in message
news:OQ****************@TK2MSFTNGP09.phx.gbl...
| Jay,
|
| As there is one thing that Bill Vaughn agree about (not the only thing)
than
| is it that this article that you shows should not be on MSDN. For us it
is
| an invitation for attacks.
|
| As well I have seen often told, is that the parameter does prevent
attacks.
| In my opinion was there a flauw in SQL server 2000 that was less easy with
| parameters and therefore should be used. AFAIK is that now protected by
| Servicepack 3.
|
| In the article that you show, I have often tried to find why a parameter
| would prevent the attack. I never got it from this article, for me it only
| explains how you can do an attack if you have the rights to give a text
| command to a SQLserver. A parameter does than protect nothing.
|
| For me the parameter is worthfull because is seamless connects .Net with
| databaseservers.
|
| However, maybe can you point me on the part of the article where it shows
| that a parameter protects against attacks (not only by telling that).
|
| Cor
|
|
Dec 28 '05 #6
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

3
Backslash does NOT escape Apostrophe
by: Terry Asher | last post by:
The following script does NOT escape the Apostrophe. Meaning when you mouseover the image the Alt tag says this: DMACC, It and then it stops. <SCRIPT Language="JavaScript"> var pos = "DMACC,...
Javascript
5
UGH! Using escape characters don't work...anyone know why?
by: KathyB | last post by:
Hi, not sure this is the right group, but hoping someone may have experienced this. I'm passing html text as a parameter to a javascript. When it has an apostrophe in it, of course it does parse...
Javascript
15
how to escape apostrophe
by: soup_or_power | last post by:
Hello All: I'm having a whale of a problem with the following code. When the words beginning with sugg contain an escaped single-quote (\' ==> back-slash followed by quote) the script causes an...
Javascript
2
List of XPath Escape Characters
by: Matthew Wieder | last post by:
In my previous post, I asked about a routine which prepares a string for an XPath query by taking care of escape characters. Unable to find a list, I'm now wondering assumign I enclose the...
.NET Framework
12
Problem With String Containing JavaScript Escape Character
by: Jeff S | last post by:
In a VB.NET code behind module, I build a string for a link that points to a JavaScript function. The two lines of code below show what is relevant. PopupLink = "javascript:PopUpWindow(" &...
ASP.NET
1
What is the .Net equivalent of jscript escape/unescape?
by: Harry Keck | last post by:
Is there a set of methods in the .Net framework that do the same thing as the jscript functions escape and unescape? I get very close with HttpUtility.UrlEncodeUnicode, but it puts "+" for...
ASP.NET
7
Correctly Escape Apostroph in URI?
by: Axel Dahmen | last post by:
Hi, within a DataGrid control I'm using a DataTable containing a string column to fill a Hyperlink's href attribute. Unfortunately HttpUtility.UrlEncode() doesn't escape the apostroph character,...
ASP.NET
131
A critique of cgi.escape
by: Lawrence D'Oliveiro | last post by:
The "escape" function in the "cgi" module escapes characters with special meanings in HTML. The ones that need escaping are '<', '&' and '"'. However, cgi.escape only escapes the quote character if...
Python
2
Why double escape for apostrophe?
by: Earl | last post by:
Anyone know why the RowFilter has to be double-escaped? Anticipating names with apostrophes, a single escape does not provide the proper name to filter on. For example, this would cause an...
Visual Basic .NET
0
Wordpress or something else?
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
Content Management Systems
0
One-click Importing Excel Data into a*Database
by: ryjfgjl | last post by:
In our work, we often need to import Excel data into databases (such as MySQL, SQL Server, Oracle) for data analysis and processing. Usually, we use database tools like Navicat or the Excel import...
Microsoft Excel
0
Easy Steps to Fix "Canon Printer Won't Connect to WiFi Network"
by: taylorcarr | last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
General
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
Basic Javascript concepts
by: aa123db | last post by:
Variable and constants Use var or let for variables and const fror constants. Var foo ='bar'; Let foo ='bar';const baz ='bar'; Functions function $name$ ($parameters$) { } ...
Javascript
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!