Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Escape special characters in SQL INSERT INTO via C#

Tags:

c#

sql

sql-server

escaping

I have searched google and haven't found any solution for my issue yet. Basically I have a comments feed that is setup within an image gallery (similar to facebook or stackoverflow comments). Users can post comments and read comments posted by other users. This is working fine. However, if a user tries to post a comment with an apostrophe, I get a nice little web application error:

Incorrect syntax near 's'. Unclosed quotation mark after the character string ')'.

The comment that I'm posting to SQL is 81's. I'm wanting a solution that will escape all special characters so that whatever the user types in, no matter what, doesn't error out.

Code Behind

Fetcher.postUserComments(connectionString, imagePath, comments.ToString(), userId);

Fetcher

sqlCom.CommandText = "INSERT INTO dbo.Table(userId, imagePath, userComments, dateCommented) VALUES ('" + userId + "', '" + imagePath + "', '" + comments + "', '" + theDate + "')";

The data type is string and I've also tried doing a .ToString() but no luck. Thanks in advance for any helpful input.

like image 670
frank billy Avatar asked Jun 20 '14 03:06

frank billy

People also ask

How do I escape a special character in SQL insert?

To search for a special character that has a special function in the query syntax, you must escape the special character by adding a backslash before it, for example: To search for the string "where?", escape the question mark as follows: "where\?"

What characters should be escaped in SQL?

%, _, [, ], and ^ need to be escaped, and you will need to choose a suitable escape character, i.e. one that you aren't using elsewhere in your LIKE pattern.

How do I remove a space and special character in SQL?

The TRIM() function removes the space character OR other specified characters from the start or end of a string. By default, the TRIM() function removes leading and trailing spaces from a string. Note: Also look at the LTRIM() and RTRIM() functions.

1 Answers

You should always use parameterized querys. They help you avoid situations like the one you are having, as well as SQL Injection attacks

sqlCom.CommandText = "INSERT INTO dbo.Table(userId, imagePath, userComments, dateCommented) VALUES (@userId, @imagePath, @userComments, @dateCommented)";

sqlCom.Parameters.AddWithValue("@userId", userId);
sqlCom.Parameters.AddWithValue("@imagePath", imagePath);
sqlCom.Parameters.AddWithValue("@userComments", comments);
sqlCom.Parameters.AddWithValue("@dateCommented", theDate);
like image 86
Mike Hixson Avatar answered Sep 20 '22 21:09

Mike Hixson
Sign in to Comment

Related questions

Dynamic Func<IQueryable<TEntity>, IOrderedQueryable<TEntity>> Expression
How do I get all the points between two Point objects?
Why I am getting different result from two almost equal expressions to get data from database using Entity Framework context
C# - Singleton Pattern
how to select specific range from byte array
How to Start a Process Unelevated
Cross domain requests not working in SignalR 2.0.0-rc1
Error while downloading Unity IoC container from Nuget
Setting button flat style programmatically
C++ Vector like class in C#
Reading from a local text file into C#? [closed]
Remote Attribute Validation not firing in Asp.Net MVC
Recursion to create a Sum Method
Defining 4-byte UTF-16 character in a string
C# List to ICollection
Why is my Web API method with double args not getting called?
How to deactivate all children in Unity?
Use Task.Run instead of Delegate.BeginInvoke
VS2013 Windows Service - How to make installer?
Load assembly from Path

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!