SQL and apostrophes

Discussion in 'ASP .Net' started by Chris Huddle, Dec 10, 2003.

  1. Chris Huddle

    Chris Huddle Guest

    Normally, if you have a value in a SQL statement that contains an
    apostrophe, you replace the ' with a ''. But how do you handle it in VB.NET
    if you are using a DataAdapter? The SQL statements are created on the fly
    by the commandbuilder and there's no way to replace the apostrophe. Surely
    Microsoft has a way around this. Thanks! - Chris
    Chris Huddle, Dec 10, 2003
    #1
    1. Advertising

  2. Chris Huddle

    Hermit Dave Guest

    Hey Chris,

    Dont know bout VB.NET and i dont use command builder as such but i do use
    SqlCommand and SqlParameters writing code using stored procs and params.
    In my experience so far (which did surprise me at the start) was that there
    was no need for nerf to use " 'my string value with apostrophe''s' ". I
    could just create a SqlParameter of type nvarchar and pass it "my string
    value with apostrophe's" and it just inserted it fine in the database. Tried
    it with inserts and updates and it works
    So i reckon it should be similar with command builder.
    But get into debug mode and check the actual string before its executed by
    the command object

    Chao,

    Hermit Dave

    "Chris Huddle" <> wrote in message
    news:%...
    > Normally, if you have a value in a SQL statement that contains an
    > apostrophe, you replace the ' with a ''. But how do you handle it in

    VB.NET
    > if you are using a DataAdapter? The SQL statements are created on the fly
    > by the commandbuilder and there's no way to replace the apostrophe.

    Surely
    > Microsoft has a way around this. Thanks! - Chris
    >
    >
    Hermit Dave, Dec 10, 2003
    #2
    1. Advertising

  3. You should use ADO.NET parameter objects. They will solve this problem and
    similar problems and protect you against SQL Injection Attacks.
    Here's more info:
    http://msdn.microsoft.com/library/d...systemdatasqlclientsqlparameterclasstopic.asp
    http://msdn.microsoft.com/library/d...ngparameterizedstoredprocedurevisualbasic.asp

    --
    I hope this helps,
    Steve C. Orr, MCSD, MVP
    http://Steve.Orr.net
    Hire top-notch developers at http://www.able-consulting.com



    "Chris Huddle" <> wrote in message
    news:%...
    > Normally, if you have a value in a SQL statement that contains an
    > apostrophe, you replace the ' with a ''. But how do you handle it in

    VB.NET
    > if you are using a DataAdapter? The SQL statements are created on the fly
    > by the commandbuilder and there's no way to replace the apostrophe.

    Surely
    > Microsoft has a way around this. Thanks! - Chris
    >
    >
    Steve C. Orr [MVP, MCSD], Dec 10, 2003
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. MS
    Replies:
    3
    Views:
    16,128
    Marcin Grunwald
    Feb 22, 2005
  2. mister-Ed

    Escaping apostrophes inserting into sql

    mister-Ed, Oct 5, 2007, in forum: ASP .Net
    Replies:
    1
    Views:
    379
    David Wier
    Oct 5, 2007
  3. musosdev

    HtmlEncode and apostrophes

    musosdev, Mar 31, 2008, in forum: ASP .Net
    Replies:
    2
    Views:
    656
    musosdev
    Mar 31, 2008
  4. Ken Fine
    Replies:
    2
    Views:
    164
    Ken Fine
    Feb 24, 2004
  5. Rob Meade

    apostrophes in SQL statement

    Rob Meade, Apr 21, 2004, in forum: ASP General
    Replies:
    22
    Views:
    352
    Bob Barrows [MVP]
    Apr 22, 2004
Loading...

Share This Page