Plateforme Level Extreme
Abonnement
Profil corporatif
Produits & Services
Support
Légal
English
Should we escape ' when building command text?
Message
De
31/12/2007 12:21:51
Bonnie DeWitt
Geneva Systems Group
Ellensburg, Washington, États-Unis
 
 
À
31/12/2007 12:09:31
Naomi Nosonovsky
Wisconsin, États-Unis
Information générale
Forum:
ASP.NET
Catégorie:
Bases de données
Titre:
Re: Should we escape ' when building command text?
Versions des environnements
Environment:
ASP.NET
OS:
Windows XP
Database:
MS SQL Server
Divers
Thread ID:
01278630
Message ID:
01278647
Vues:
22
This message has been marked as the solution to the initial question of the thread.
Yes, parameters are *definitely* better and yes, you won't need to worry about escaping the quote.
Command.CommandText = "INSERT INTO Programs (ProgName, ProgramDescription, " +
                "Location, CoordinatorID) VALUES(@Name, @Description, @Location, @ID)\nSELECT @@IDENTITY";
Command.Parameters.AddWithValue("@Name", this.txtbName.Text);
Command.Parameters.AddWithValue("@Description", this.txtbDescription.Text);
Command.Parameters.AddWithValue("@Location", this.txtbLocation.Text);
Command.Parameters.AddWithValue("@ID", CoID);
~~Bonnie




>>Naomi,
>>
>>You should be using Parameters instead.
>>
>>~~Bonnie
>>
>>
>
>Hi Bonnie,
>
>Do you think using parameters is better and I would not need escaping single quote?
>
>For now I'm just playing with the existing code.
>
>Also how would I use parameters if it's a direct insert command? I'm sorry for such ignorant questions, but could you please point me to the correct approach?
>
>And also would you please help me with my IDE question regarding commenting?
>
>Thanks a lot for your help.
>
>>>Hi everybody,
>>>
>>>I'm looking into the existing code trying to figure out the problem. This code is supposed to create a recurring event, so it is supposed to insert a record into the Programs table and then multiple records into ProgramsTimes table. It is done directly through CommandText.
>>>
>>>This is the code:
>>>
>>>Command.CommandText = string.Format("INSERT INTO Programs (ProgName, ProgramDescription, " +
>>> "Location, CoordinatorID) VALUES('{0}','{1}', '{2}',{3})\nSELECT @@IDENTITY", this.txtbName.Text,
>>> this.txtbDescription.Text, this.txtbLocation.Text, CoID);
>>>
>>>When I was testing this from the user interface I typed ' in the Description field.
>>>
>>>I'm getting an error 'Incorrect syntax near 's. Unclosed quotation mark...'
>>>
>>>So, my first question - is the above command correct or should it be changed?
>>>
>>>My second question - how can I insert datetime when I'm writting a comment?
>>>
>>>Also, is it a general practice to handle this problem with direct insert commands or there is a better way of doing it? There is a complex logic of calculating dates and times depending on the interface...
>>>
>>>Thanks a lot in advance.
Bonnie Berent DeWitt
NET/C# MVP since 2003

http://geek-goddess-bonnie.blogspot.com
Précédent
Suivant
Répondre
Fil
Voir

Click here to load this message in the networking platform