fixing multi line text before saving to dbase

D

Daves

I am saving to database a result from multi-line textbox. The database of
course wants \x escape codes, not the invisible ones. Is there any easy -
one line code - way to do this (c#) eg by String.Format() ?
 
P

Patrice

"The database" or a dynamically created SQL statement ?

Using String.Replace should do but you could use parameters instead... IMO
the problem is that you are creating a dynamic SQL string. If you use
parametized queries you shouldn't have this problem (as line feeds will not
be part of the "SQL statement" but will just be included inside the
parameter value).

Patrice
 
D

Daves

umm not sure what you mean but it goes like

string ContentString = Textbox1.Text;

.... here I could do some ContentString.Replace() functions but I thought
maybe there would be a simple one line to do the job eg. String.Format()?
....

SQLString = "UPDATE Content='" + ContentString + "'" WHERE ...";
myCommand = new OleDbCommand(SQLSave, myConnection);
myCommand.ExecuteNonQuery();
 
J

jasonkester

Daves said:
... here I could do some ContentString.Replace() functions but I thought
maybe there would be a simple one line to do the job eg. String.Format()?
...

SQLString = "UPDATE Content='" + ContentString + "'" WHERE ...";
myCommand = new OleDbCommand(SQLSave, myConnection);
myCommand.ExecuteNonQuery();
Click to expand...

As Patrice mentioned, you are having problems because you are ignoring
some Best Practices for building applications in .NET. Ideally you
should be using stored procedures:

myCommand = new SqlCommand("sp_ContentUpdate", myConnection);
myCommand.Parameters.Add("@ContentString", contentString);
myCommand.ExecuteNonQuery();

Ad hoc SQL in your code is a Bad Thing. If you absolutely must use it,
you should at least use parameterized sql:

SQLString = "UPDATE Content set ContentString = @ContentString WHERE
....";
myCommand = new SqlCommand(SQLString , myConnection);
myCommand.Parameters.Add("@ContentString", contentString);
myCommand.ExecuteNonQuery();

No more formatting your strings off the page, no more SQL Injection
attacks against your site. Check out
http://www.uberasp.net/getarticle.aspx?id=46 for more info.

Good Luck!
Jason
http://www.expatsoftware.com/
 
D

Daves

very interesting, I didn't know this! Does this mean I should also used SP
queries when not using fixed queries that is no data from a form?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Multi-Line Text Box - How to Insert Spaces 2
virus scan documents before saving to database 0
How to make a multi-line textbox to fill gridview's column in edit view? 0
GridView - Is it Possible to invoke Multi-Line TextBox 1
Multi-line lambda proposal. 23
multi-line input? 2
Multi-Line TextBox writting to Sql Server 2
How to handle multi-line quotes 5

Members online

No members online now.
Total: 49 (members: 0, guests: 49)
Robots: 202

Forum statistics

Threads
473,766
Messages
2,569,569
Members
45,043
Latest member
CannalabsCBDReview

Latest Threads

Top