fixing multi line text before saving to dbase

Discussion in 'ASP .Net' started by Daves, Mar 9, 2005.

  1. Daves

    Daves Guest

    I am saving to database a result from multi-line textbox. The database of
    course wants \x escape codes, not the invisible ones. Is there any easy -
    one line code - way to do this (c#) eg by String.Format() ?
     
    Daves, Mar 9, 2005
    #1
    1. Advertising

  2. Daves

    Patrice Guest

    "The database" or a dynamically created SQL statement ?

    Using String.Replace should do but you could use parameters instead... IMO
    the problem is that you are creating a dynamic SQL string. If you use
    parametized queries you shouldn't have this problem (as line feeds will not
    be part of the "SQL statement" but will just be included inside the
    parameter value).

    Patrice

    --

    "Daves" <> a écrit dans le message de
    news:...
    > I am saving to database a result from multi-line textbox. The database of
    > course wants \x escape codes, not the invisible ones. Is there any easy -
    > one line code - way to do this (c#) eg by String.Format() ?
    >
    >
     
    Patrice, Mar 9, 2005
    #2
    1. Advertising

  3. Daves

    Daves Guest

    umm not sure what you mean but it goes like

    string ContentString = Textbox1.Text;

    .... here I could do some ContentString.Replace() functions but I thought
    maybe there would be a simple one line to do the job eg. String.Format()?
    ....

    SQLString = "UPDATE Content='" + ContentString + "'" WHERE ...";
    myCommand = new OleDbCommand(SQLSave, myConnection);
    myCommand.ExecuteNonQuery();




    "Patrice" <> wrote in message
    news:%...
    > "The database" or a dynamically created SQL statement ?
    >
    > Using String.Replace should do but you could use parameters instead... IMO
    > the problem is that you are creating a dynamic SQL string. If you use
    > parametized queries you shouldn't have this problem (as line feeds will
    > not
    > be part of the "SQL statement" but will just be included inside the
    > parameter value).
    >
    > Patrice
    >
    > --
    >
    > "Daves" <> a écrit dans le message de
    > news:...
    >> I am saving to database a result from multi-line textbox. The database of
    >> course wants \x escape codes, not the invisible ones. Is there any easy -
    >> one line code - way to do this (c#) eg by String.Format() ?
    >>
    >>

    >
    >
     
    Daves, Mar 9, 2005
    #3
  4. Daves

    jasonkester Guest

    Daves wrote:
    > ... here I could do some ContentString.Replace() functions but I

    thought
    > maybe there would be a simple one line to do the job eg.

    String.Format()?
    > ...
    >
    > SQLString = "UPDATE Content='" + ContentString + "'" WHERE ...";
    > myCommand = new OleDbCommand(SQLSave, myConnection);
    > myCommand.ExecuteNonQuery();


    As Patrice mentioned, you are having problems because you are ignoring
    some Best Practices for building applications in .NET. Ideally you
    should be using stored procedures:

    myCommand = new SqlCommand("sp_ContentUpdate", myConnection);
    myCommand.Parameters.Add("@ContentString", contentString);
    myCommand.ExecuteNonQuery();

    Ad hoc SQL in your code is a Bad Thing. If you absolutely must use it,
    you should at least use parameterized sql:

    SQLString = "UPDATE Content set ContentString = @ContentString WHERE
    ....";
    myCommand = new SqlCommand(SQLString , myConnection);
    myCommand.Parameters.Add("@ContentString", contentString);
    myCommand.ExecuteNonQuery();

    No more formatting your strings off the page, no more SQL Injection
    attacks against your site. Check out
    http://www.uberasp.net/getarticle.aspx?id=46 for more info.

    Good Luck!
    Jason
    http://www.expatsoftware.com/
     
    jasonkester, Mar 9, 2005
    #4
  5. Daves

    Daves Guest

    very interesting, I didn't know this! Does this mean I should also used SP
    queries when not using fixed queries that is no data from a form?


    "jasonkester" <> wrote in message
    news:...
    > Daves wrote:
    >> ... here I could do some ContentString.Replace() functions but I

    > thought
    >> maybe there would be a simple one line to do the job eg.

    > String.Format()?
    >> ...
    >>
    >> SQLString = "UPDATE Content='" + ContentString + "'" WHERE ...";
    >> myCommand = new OleDbCommand(SQLSave, myConnection);
    >> myCommand.ExecuteNonQuery();

    >
    > As Patrice mentioned, you are having problems because you are ignoring
    > some Best Practices for building applications in .NET. Ideally you
    > should be using stored procedures:
    >
    > myCommand = new SqlCommand("sp_ContentUpdate", myConnection);
    > myCommand.Parameters.Add("@ContentString", contentString);
    > myCommand.ExecuteNonQuery();
    >
    > Ad hoc SQL in your code is a Bad Thing. If you absolutely must use it,
    > you should at least use parameterized sql:
    >
    > SQLString = "UPDATE Content set ContentString = @ContentString WHERE
    > ...";
    > myCommand = new SqlCommand(SQLString , myConnection);
    > myCommand.Parameters.Add("@ContentString", contentString);
    > myCommand.ExecuteNonQuery();
    >
    > No more formatting your strings off the page, no more SQL Injection
    > attacks against your site. Check out
    > http://www.uberasp.net/getarticle.aspx?id=46 for more info.
    >
    > Good Luck!
    > Jason
    > http://www.expatsoftware.com/
    >
     
    Daves, Mar 10, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Michael Laplante

    Fixing text size

    Michael Laplante, May 7, 2006, in forum: HTML
    Replies:
    14
    Views:
    779
    Andy Dingley
    May 8, 2006
  2. Jim Scott

    Fixing washing line

    Jim Scott, Oct 9, 2006, in forum: HTML
    Replies:
    6
    Views:
    1,098
    dorayme
    Oct 9, 2006
  3. kaushikshome
    Replies:
    4
    Views:
    821
    kaushikshome
    Sep 10, 2006
  4. Roger Pack
    Replies:
    3
    Views:
    165
    Robert Dober
    Apr 15, 2009
  5. Replies:
    2
    Views:
    160
Loading...

Share This Page