stackoom
  简体   繁体   中英

Single and double quotes in Sql Server 2005 insert query

 原文  2011-11-14 05:59:44       c#/ asp.net/ sql-server/ sql-server-2005

Question

There is single and double quotes in the address textbox .How can I insert into database. I am using SQL2005. My code is as follows... 

str = "exec sp_cust_reg '" + customer.Cust_Id + "','" + customer.Cust_Name + "','" + customer.Gender + "','" + customer.Acc_no + "','" + customer.Address + "','" + customer.Pin_no + "','" + customer.Phone_no + "','" + customer.Mobile_no + "','" + customer.Email + "','" + customer.Authorise + "'";

Address is jo"hn's house

Its Text Visualizer is as follows... 

exec sp_cust_reg 'C7','George Joseph','Male','0001-212123','jo"hn's house','515151','04862787896','8888888888','johnyqw@gmail.com','N'

I used 

string sql = str.Replace("\'", " ");.

Then I get 

exec sp_cust_reg  C7 , George Joseph , Male , 0001-212123 , jo"hn s house , 515151 , 04862787896 , 8888888888 , johnyqw@gmail.com , N

3 answers

solution1
 8  2011-11-14 06:04:18

One word: DON'T DO IT!

Use parametrized queries instead - those are both safer (no SQL injection) and easier to work with, and perform better, too! 

SqlCommand cmd = new SqlCommand("dbo.sp_cust_reg", _connection);
cmd.CommandType = CommandType.StoredProcedure;

// add parameters and their values
cmd.Parameters.Add("@CustID", SqlDbType.Int).Value = customer.Cust_Id;
cmd.Parameters.Add("@Cust_Name", SqlDbType.VarChar, 100).Value = customer.Cust_Name;
 ..... and so on - define all the parameters!

_connection.Open();
cmd.ExecuteNonQuery();
_connection.Close();

solution2
 1  2011-11-14 06:10:10

You can also use Parameterized queries for giving the values, using the AddWithValue() of Parameters like 

SqlCommand cmd = new SqlCommand("dbo.sp_cust_reg",_connection);
cmd.CommandType= CommandType.StoredProcedure;

cmd.Parameters.AddWithValue("@TheDate",customer.Cust_Id);
cmd.Parameters.AddWithValue("@Cust_Name",customer.Cust_Name);

_connection.Open();
cmd.ExecuteNonQuery();
_connection.Close();

Why I am telling to use AddWithValue is - you explicitly set the sqldb.type and SQL knows exactly the dbtype when passed.

solution3
 -1 ACCPTED  2011-11-14 06:01:24

You escape ' as '' .

So instead of str.Replace("\\'", " ") use str.Replace("'", "''")

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Replacing single quotes with double quotes in SQL Query How can I use single query to insert multiple records from Dataset into SQL Server 2005? Escape double quotes in SQL 2005/2008 SQL Query with single quotes How to insert string containing single or double quotes Insert Double In Sql Server XML query in SQL Server 2005 Replacing single quotes with double Quotes Insert string into SQL query without quotes Compress SQL Server 2005 query results?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM