Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

MySql command parameters with quotes

Tags:

c#

mysql

i want to insert rows to a MySql Database through my c# application (using Connector/Net 8.0.11). I'm using command parameters to pass the values because - in my understanding - i don't have to care about any kind of special characters. Please find a simplified code example below.

MySqlCommand Cmd = new MySqlCommand("INSERT INTO testtab(TestCol1,TestCol2) VALUES(@test1,@test2)", Con);

Cmd.Parameters.AddWithValue("@test1", "12'34");
Cmd.Parameters.AddWithValue("@test2", "56");

Cmd.ExecuteNonQuery();

But the single quote in "12'34" leads to an exception:

"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '34','56')' at line 1"

I know that i could simply not use parameters at all, and just double the quote inside my value string... but i have built similar apps using Connector/ODBC and they work fine. Can you please help me to find the trick with Connector/Net?

like image 259
m.denis Avatar asked May 17 '18 14:05

m.denis


People also ask

How do I insert a quote in MySQL?

QUOTE() : This function in MySQL is used to return a result that can be used as a properly escaped data value in an SQL statement. The string is returned enclosed by single quotation marks and with each instance of backslash (\), single quote ('), ASCII NULL, and Control+Z preceded by a backslash.

When should I use quotes in MySQL?

single quotes are used to indicate the beginning and end of a string in SQL. Double quotes generally aren't used in SQL, you use them in order to store lets say the whole SQL statement(query), in a variable so you can use it later in your code.

Does MySQL support double quotes?

Double quotes are supported by MySQL for string values as well, but single quotes are more widely accepted by other RDBMS, so it is a good habit to use single quotes instead of double. MySQL also expects DATE and DATETIME literal values to be single-quoted as strings like '2001-01-01 00:00:00' .

How do I escape a quote in MySQL?

Backslash ( \ ) and the quote character used to quote the string must be escaped.


1 Answers

I really appreciate your help ladies and gentlemen - and special thanks to Progman, your comment solved my problem.

I'll now answer my own question to sum it up. There are 3 possible solutions:

The whole issue is related to the SQL mode NO_BACKSLASH_ESCAPES. One solution could be turning off that particular SQL mode.

fubo mentioned in his comment:

The escaping result of MySql.Data.MySqlClient.MySqlHelper.EscapeString("12'34") is 12\'34

It is weird but the SQL mode NO_BACKSLASH_ESCAPES struggles with the escape strings of parameter values (imo this is a bug in Connector/Net since Connector/ODBC works fine). Another solution could be using Connector/ODBC.

The final trick for me was Progmans comment:

According to dev.mysql.com/doc/connector-net/en/… you have to call Prepare() before adding the values.

This is more like a workaround, but if you use SQL mode NO_BACKSLASH_ESCAPES and command parameters together, you have to call Prepare() before calling ExecuteNonQuery(). Please note that - unlike the example in the developer guide - i couldn't call it before adding the parameters (you'll get an exception), and i added IgnorePrepare=false to the connection string. I assume the reason why this works is because it changes the data transfer between client and server:

Another advantage of prepared statements is that, with server-side prepared statements enabled, it uses a binary protocol that makes data transfer between client and server more efficient.

Here is the code snippet that works for me:

//add IgnorePrepare=false to the connection string
MySqlConnection Con = new MySqlConnection("Server = localhost; Port = 3306; Database = param_test; Uid = ***; Pwd = ***; SslMode=none; IgnorePrepare=false");
Con.Open();
MySqlCommand Cmd = new MySqlCommand("INSERT INTO testtab(TestCol1,TestCol2) VALUES(@test1,@test2)", Con);

Cmd.Parameters.AddWithValue("@test1", "12'34");
Cmd.Parameters.AddWithValue("@test2", "56");

Cmd.Prepare();  //calling it after Adding the parameters works fine
Cmd.ExecuteNonQuery();
like image 150
m.denis Avatar answered Oct 20 '22 15:10

m.denis