Apostrophe in SQL Syntax

[Guest]

Thanks for your time.

I've built an asp.net/vb.net CMS(Content Management System) application. I
have several different UI's that provide the user the ability to maintain
site content that is stored in a MySQL db. Currently I'm using ado.net to
connect to the MySQL db.

I'm having difficulty with apostrophes in the sql syntax that updates, and
adds new records. (example:Joe's Garage causes an error).

I've tried replace(mystring, "'","''") - double quotes, replace(mystring,
"'","/'") - MySQL escape chars. No luck. I was going to give parameters a
try. Will this solve the problem? Does ADO support parameters - or are they
strictly an OleDB type thing? The site is hosted, so I don't think that I
can use DSNs, or install anything.

 

[Damon Payne]

Using paramters will fix the issue.

 

[Steve C. Orr [MVP, MCSD]]

You should use ADO.NET parameter objects. They will solve your problem and
they will also protect you from SQL Injection Attacks, which it sounds like
your code is probably vulnerable to at this time.

Here's more info:
http://msdn.microsoft.com/library/d...systemdatasqlclientsqlparameterclasstopic.asp

http://msdn.microsoft.com/library/d...ngparameterizedstoredprocedurevisualbasic.asp

 

[Guest]

Thanks for your posts - on sunday night no less.

I'll move forward with the parameter method. Can anyone explain why the
replace method failed?

 

[Scott Allen]

Hi Brian:

Were you assigning the result of String.Replace into a new string?
Replace doesn't modify the object you invoke the method upon, but
instead returns a new instance of a string.