Apostrophe Blues

[DotNetNewbie]

He everyone,

I have a free textbox that allows a user to enter comments. However the user can enter apostrophe's if needed, along with anything else really.

However when I come to add it to the DB it errors because of the SQLString I have composed.

Can someone give me an idea on how to solve this. Ideally the user should be able to enter apostrophe's when needed.

Thanks in advance

 

[RiverGuy]

Use a parameterized Query. For example, in SQL Server, it would be:

Dim cmd as New SqlClient.SqlCommand()
With cmd
     .Connection = MyConnection
     .CommandType = CommandType.Text
     .CommandText = "INSERT INTO MyTable (MyField) VALUES 
                    (@MyValue)"
     .Parameters.Add("@MyValue", Trim([b]TextBox1.Text[/b]))
     .ExecuteNonQuery
End With

If you need more help, look up parameters in ADO.Net.

 

[chiph]

You might also want to do a Google search on "SQL Injection".

This is an attack used by hackers, and using ADO.NET parameter objects protects you from it.

Chip H.


If you want to get the best response to a question, please check out FAQ222-2244 first