handling single quotes??

[SStory]

How can I handle the user entering single quotes like in

Bob's mini mart?

If I use command objects will this no longer be an issue?

I guess that would mean no simple adhoc SQL statements right?

like SELECT name from WHATEVER

would need a command object with

"SELECT @NAME, etc.
and then params

is this the way to solve the problem?

Thanks,

Shane

 

[Scott M.]

try inserting the char code. I believe it's 39 - - CHR(39)

 

[Dan Brussee]

At least with SQL Server, it recognizes two single quotes as a single
quote inside single quote delimiters. Huh??

select * from table where name = 'Bob''s mini mart'

Notice two single quotes between b and s of Bob's. Use a replace
method to get it that way.

 

[Steve C. Orr [MVP, MCSD]]

Yes, you should use Parameter objects.
This is the best practice solution.
Here's more info:
http://msdn.microsoft.com/library/d...ngparameterizedstoredprocedurevisualbasic.asp

 

[Scott M.]

That won't cut it in .NET. It will be seen as two strings next to each
other without any concatenation.

 

[Dan Brussee]

Granted, my text is incomplete. I assumed that it was known that the
string as shown would be a string and have doublequotes surrounding it
if hardcoded so...

sql = "select * from table where name = 'Bob''s mini mart'"

the variable sql would be valid to pass to a command object for
execution on SQL Server. I would like to stress however, that this is
much less a good fix than to convert to using parameters.

 

[Kevin Spencer]

You have to be very careful when handling single quotes, as the bottom of
them is very sharp. I recommend wearing gloves.

;-)

Seriously, escape them by doubling them.
--
HTH,
Kevin Spencer
..Net Developer
Microsoft MVP
Big things are made up
of lots of little things.