Plateforme Level Extreme
Abonnement
Profil corporatif
Produits & Services
Support
Légal
English
Should we escape ' when building command text?
Message
De
03/01/2008 13:59:48
Bonnie DeWitt
Geneva Systems Group
Ellensburg, Washington, États-Unis
 
 
À
03/01/2008 11:04:41
Naomi Nosonovsky
Wisconsin, États-Unis
Information générale
Forum:
ASP.NET
Catégorie:
Bases de données
Titre:
Re: Should we escape ' when building command text?
Versions des environnements
Environment:
ASP.NET
OS:
Windows XP
Database:
MS SQL Server
Divers
Thread ID:
01278630
Message ID:
01279316
Vues:
11
What error are you getting? Is it at run-time or compile-time?

~~Bonnie




>>Yes, parameters are *definitely* better and yes, you won't need to worry about escaping the quote.
>>
>>
>>Command.CommandText = "INSERT INTO Programs (ProgName, ProgramDescription, " +
>>                "Location, CoordinatorID) VALUES(@Name, @Description, @Location, @ID)\nSELECT @@IDENTITY";
>>Command.Parameters.AddWithValue("@Name", this.txtbName.Text);
>>Command.Parameters.AddWithValue("@Description", this.txtbDescription.Text);
>>Command.Parameters.AddWithValue("@Location", this.txtbLocation.Text);
>>Command.Parameters.AddWithValue("@ID", CoID);
>>
>>
>
>Hi Bonnie,
>
>Can I use the same technique within a loop or I should go John's way?
>
>I tried to change the original code using string.Format to
>
>            foreach (ListItem Item in this.lsbEvntTargetPop.Items)
>            {
>                if (Item.Selected)
>                {
>                    Command.CommandText += "\nINSERT INTO EventTargets VALUES(@EvID,@EventVal)";
>                    Command.Parameters.AddWithValue("@EventVal", Item.Value);
>
>                }
>            }
>
>but I'm getting an error. How should I change this?
>
>Thanks again for your help.
Bonnie Berent DeWitt
NET/C# MVP since 2003

http://geek-goddess-bonnie.blogspot.com
Précédent
Suivant
Répondre
Fil
Voir

Click here to load this message in the networking platform