tags:

views:

68

answers:

1
+2  Q: 

sql ce escape '(single quote) C#

I am writing some code to store names in a database. I limit the names to only certain characters, but last names are a challenge. Since some people have single quotes in their name (example O'Brian) I need to allow this. So I wrote a regex replace to replace the ' with a \' which I assumed should make the ' a literal. It works as far as replacement goes, but it still marks the end of the string, and I get the error

There was an error parsing the query. [ Token line number=1, token line offeset = 71, token in error=Brian]

I understand the error, the single quote marks the end of the string to be entered leaving the rest of the string Brian outside the quotes.

The code I am using:

Regex reg = new Regex("\'");
firstName = reg.Replace(firstName, "\\'");
lastName = reg.Replace(lastName, "\\'"):

Then the select query is built with string.format

sqlInsertObj.CommandText = string.Format("INSERT INTO childNameId (childFName, childLName) VALUES ('{0}', '{1}')", fName, lName);
 sqlInsertObj.ExecuteNonQuery();

This works for any entry, except when there is a quote in the name.

+2  A: 

It's better to use parameterized sql queries, instead of building them with string concatenation. Documentation and an example can be found at MSDN.

If you insist on string concatenation escape it with a double single quote instead of \.

firstName = firstName.Replace("'", "''" );
Mikael Svenson  2010-09-26 17:09:40
I tried that, it still throws an exception.
Dusty Lew  2010-09-26 17:16:30
Ok, thanks. I was trying to convert how I have worked with MySQL in the past into sql ce. It is weird though, that the double quote throws an exception still. Thanks, I will look into the parameterized sql queries. Is there any reason that it is better?
Dusty Lew  2010-09-26 17:58:07
Parameterized queries are the only way you should do this. They avoid more problems than just single quotes. It's also a security problem if you don't use them, because it'll leave you far more vulnerable to SQL injection attacks
Sander Rijken  2010-09-26 18:12:50
@Sander: thanks for explaining what i meant by "better". I was a bit quick writing it.
Mikael Svenson  2010-09-26 18:35:35
@Dusty: do you get the same exception? And mysql also supports parameterized queries. I've used that in the past.
Mikael Svenson  2010-09-26 18:37:28
Parametized queries protect against sql injections, so does that mean that I don't need the regex I wrote to only allow certain characters before inserting the data into my database? and no, the exception was having to do with there being no column, it was acting like I was trying to insert 3 separate values, but had only defined two columns for them to go into. So, for some reason the double single quote wasn't acting as an escape character, but instead marking the end of the value.
Dusty Lew  2010-09-26 18:38:27
@Dusty: Correct, you can skip the regex and send the real value unmodified in the parameter. Easier and safer.
Mikael Svenson  2010-09-26 19:11:18
Perfect, this is exactly what I needed. Thank you so much.
Dusty Lew  2010-09-26 20:18:31

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?