Single Quote issue - Visual Basic .NET

fniles

I am looping thru DataReader and constructing a sql query to insert to
another database.
When the data type of the field is string I insert the field value using a
single quote.
When the value of the field has a single quote in it like "O'Toole", how can
I construct the string ?

Do While drSQL.Read
sSQL = "insert into " & sTableName & " values ("
sSQL2 = ""
For x = 0 To iFieldCnt - 1
If IsDBNull(drSQL.Item(x)) Then
sSQL2 = sSQL2 & ",null"
ElseIf drSQL.GetFieldType(x) Is GetType(String) Or
drSQL.GetFieldType(x) Is GetType(Date) Then
sSQL2 = sSQL2 & ",'" & "''" & drSQL.Item(x) &
'" -WHEN the value is O'Toole this becomes 'O'Toole'
Else
sSQL2 = sSQL2 & "," & drSQL.Item(x)
End If
Next x
sSQL2 = Mid(sSQL2, 2, Len(sSQL2))
sSQL = sSQL & sSQL2 & ")"
cmd.CommandText = sSQL -WHEN the value of 1 of the field
is O'Toole this becomes "Insert into myTable values ('O'Toole') and got an
error when executing the ExecuteNonQuery
cmd.ExecuteNonQuery()
Loop

May 22 '07 #1

Subscribe Post Reply

6226

Spam Catcher

"fniles" <fn****@pfmail.comwrote in
news:ur**************@TK2MSFTNGP04.phx.gbl:

When the data type of the field is string I insert the field value
using a single quote.

Don't construct a SQL string with parameters on the fly - this is ripe for
SQL injection attacks.

When the value of the field has a single quote in it like "O'Toole",
how can I construct the string ?

Use SQL Parameters please!
What is a SQL Injection Attack and how to use SQL Parameters:

http://msdn2.microsoft.com/en-us/library/ms161953.aspx

P.S. But if you insist on being careless ;-), to insert a single quote you
would double it... i.e. 'O''Toole'

May 22 '07 #2

Herfried K. Wagner [MVP]

"fniles" <fn****@pfmail.comschrieb:

>I am looping thru DataReader and constructing a sql query to insert to
another database.

Use parameterized command objects instead of building the whole connection
string including the values on your own in order to prevent such problems
and potential security problems caused by SQL injection.

--
M S Herfried K. Wagner
M V P <URL:http://dotnet.mvps.org/>
V B <URL:http://dotnet.mvps.org/dotnet/faqs/>

May 22 '07 #3

Harry Strybos

"fniles" <fn****@pfmail.comwrote in message
news:ur**************@TK2MSFTNGP04.phx.gbl...

>I am looping thru DataReader and constructing a sql query to insert to
another database.
When the data type of the field is string I insert the field value using a
single quote.
When the value of the field has a single quote in it like "O'Toole", how
can I construct the string ?

Do While drSQL.Read
sSQL = "insert into " & sTableName & " values ("
sSQL2 = ""
For x = 0 To iFieldCnt - 1
If IsDBNull(drSQL.Item(x)) Then
sSQL2 = sSQL2 & ",null"
ElseIf drSQL.GetFieldType(x) Is GetType(String) Or
drSQL.GetFieldType(x) Is GetType(Date) Then
sSQL2 = sSQL2 & ",'" & "''" & drSQL.Item(x) &
" -WHEN the value is O'Toole this becomes 'O'Toole'
Else
sSQL2 = sSQL2 & "," & drSQL.Item(x)
End If
Next x
sSQL2 = Mid(sSQL2, 2, Len(sSQL2))
sSQL = sSQL & sSQL2 & ")"
cmd.CommandText = sSQL -WHEN the value of 1 of the field
is O'Toole this becomes "Insert into myTable values ('O'Toole') and got an
error when executing the ExecuteNonQuery
cmd.ExecuteNonQuery()
Loop

You need to put two single quotation marks eg O''Toole (not a double
quotation). Having said that, PLEASE take note of what the other guys are
saying...use paramerized stored procs!

May 22 '07 #4

Bill Nguyen

Put your SQL clause in this function:
for example strQuoteReplace(sSQL)

Bill
Public Shared Function StrQuoteReplace(ByVal strValue As String)

' Replace any single quote in strValue with two single quotes.

' The second argument to Replace consists of

' one single quote enclosed in a pair of double quotes.

' The third argument to Replace consists of

' two single quotes enclosed in a pair of double quotes.

StrQuoteReplace = Replace(strValue, "'", "''")

End Function

"Harry Strybos" <ha**********@ffapaysmart.com.auwrote in message
news:Op**************@TK2MSFTNGP02.phx.gbl...

"fniles" <fn****@pfmail.comwrote in message
news:ur**************@TK2MSFTNGP04.phx.gbl...
>>I am looping thru DataReader and constructing a sql query to insert to
another database.
When the data type of the field is string I insert the field value using
a single quote.
When the value of the field has a single quote in it like "O'Toole", how
can I construct the string ?

Do While drSQL.Read
sSQL = "insert into " & sTableName & " values ("
sSQL2 = ""
For x = 0 To iFieldCnt - 1
If IsDBNull(drSQL.Item(x)) Then
sSQL2 = sSQL2 & ",null"
ElseIf drSQL.GetFieldType(x) Is GetType(String) Or
drSQL.GetFieldType(x) Is GetType(Date) Then
sSQL2 = sSQL2 & ",'" & "''" & drSQL.Item(x) &
-WHEN the value is O'Toole this becomes 'O'Toole'
Else
sSQL2 = sSQL2 & "," & drSQL.Item(x)
End If
Next x
sSQL2 = Mid(sSQL2, 2, Len(sSQL2))
sSQL = sSQL & sSQL2 & ")"
cmd.CommandText = sSQL -WHEN the value of 1 of the field
is O'Toole this becomes "Insert into myTable values ('O'Toole') and got
an error when executing the ExecuteNonQuery
cmd.ExecuteNonQuery()
Loop

You need to put two single quotation marks eg O''Toole (not a double
quotation). Having said that, PLEASE take note of what the other guys are
saying...use paramerized stored procs!

May 22 '07 #5

Similar topics

handling single quotes??

by: SStory | last post by:

How can I handle the user entering single quotes like in Bob's mini mart? If I use command objects will this no longer be an issue? I guess that would mean no simple adhoc SQL statements...

ASP.NET

Building a single EXE file in VB 2005?

by: ashley.ward | last post by:

We have been using VB6 to develop small custom apps that access an Oracle database, in order to extend a larger product that is developed by our colleagues in Germany (who use C++ and Java). As...

Visual Basic .NET

allowing single quote in preg_match

by: Mark Woodward | last post by:

Hi all, I'm trying to validate text in a HTML input field. How do I *allow* a single quote? // catch any nasty characters (eg !@#$%^&*()/\) $match = '/^+$/'; $valid_srch = preg_match($match,...

PHP

Single DLL - How to get rid of ASPX files?

by: Boris Yeltsin | last post by:

I'm using a Web Deployment Project under Visual Studio 2005. What I would love to be able to deploy to a fresh server is just the \bin folder and the web.config (and perhaps a couple of other...

ASP.NET

downloading a single file using multiple threads

by: keerthyragavendran | last post by:

hi i'm downloading a single file using multiple threads... how can i specify a particular range of bytes alone from a single large file... for example say if i need only bytes ranging from...

C# / C Sharp

maintain a single session across multiple servers

by: Samir Chouaieb | last post by:

Hello, I am trying to find a solution to a login mechanism for different domains on different servers with PHP5. I have one main domain with the user data and several other domains that need...

PHP

DB Backup - Single User Mode

by: velu5 | last post by:

Hello , Is it possible/recommended to do SQL server instance backups in Single user mode ? Thanks in advance, atv

Microsoft SQL Server

String Manipulation - Multiple lines to a single line

by: kru | last post by:

Hi All, Simple issue I cannot figure out. I have a multiline textbox, I need to convert the string contents of this textbox into a single line string which I currently write to a textfile. ...

Visual Basic .NET

single if vs if else

by: Chad | last post by:

The question stems from some code at the following url http://www.cplusplus.com/reference/clibrary/cstdio/fread.html In the code example they have a single if statement for the following ...

C / C++

How to turn on java script in a villaon keypad mobile phone

by: Charles Arthur | last post by:

How do i turn on java script on a villaon, callus and itel keypad mobile phone

Java

Basic Javascript concepts

by: aa123db | last post by:

Variable and constants Use var or let for variables and const fror constants. Var foo ='bar'; Let foo ='bar';const baz ='bar'; Functions function $name$ ($parameters$) { } ...

Javascript

Batch import of multiple excel files into the database

by: ryjfgjl | last post by:

If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...

Data Management

Navigating the Data Structures and Algorithms (DSA)

by: BarryA | last post by:

What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...

Algorithms / Advanced Math

How to build RAID in BIOS?

by: Hystou | last post by:

There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...

Computer Hardware

What is ONU?

by: marktang | last post by:

ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...

General

Changing the language in Windows 10

by: Hystou | last post by:

Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...

Windows Server

Problem With Comparison Operator <=> in G++

by: Oralloy | last post by:

Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...

C / C++

Maximizing Business Potential: The Nexus of Website Design and Digital Marketing

by: jinu1996 | last post by:

In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...

Online Marketing