Daves said:
... here I could do some ContentString.Replace() functions but I thought
maybe there would be a simple one line to do the job eg. String.Format()?
...
SQLString = "UPDATE Content='" + ContentString + "'" WHERE ...";
myCommand = new OleDbCommand(SQLSave, myConnection);
myCommand.ExecuteNonQuery();
As Patrice mentioned, you are having problems because you are ignoring
some Best Practices for building applications in .NET. Ideally you
should be using stored procedures:
myCommand = new SqlCommand("sp_ContentUpdate", myConnection);
myCommand.Parameters.Add("@ContentString", contentString);
myCommand.ExecuteNonQuery();
Ad hoc SQL in your code is a Bad Thing. If you absolutely must use it,
you should at least use parameterized sql:
SQLString = "UPDATE Content set ContentString = @ContentString WHERE
....";
myCommand = new SqlCommand(SQLString , myConnection);
myCommand.Parameters.Add("@ContentString", contentString);
myCommand.ExecuteNonQuery();
No more formatting your strings off the page, no more SQL Injection
attacks against your site. Check out
http://www.uberasp.net/getarticle.aspx?id=46 for more info.
Good Luck!
Jason
http://www.expatsoftware.com/