c# - SQL Syntax Error: Remove/Disclude Apostrophe's? -


i use below code update business' information on 1 of windows forms. when user puts business name in txtbusname "sandy's place" receive incorrect syntax near ';'. unclosed quotation mark after character string ';'.

what best way handle issue?

conn = new sqlconnection(connstring); conn.open(); sqlcommand cmd = conn.createcommand();  mskzip.textmaskformat = maskformat.excludepromptandliterals; string zip = mskzip.text; mskzip.textmaskformat = maskformat.includeliterals; mskmailzip.textmaskformat = maskformat.excludepromptandliterals; string mailzip = mskmailzip.text; mskmailzip.textmaskformat = maskformat.includeliterals; mskphone.textmaskformat = maskformat.excludepromptandliterals; string phone = mskphone.text; mskphone.textmaskformat = maskformat.includeliterals; mskfax.textmaskformat = maskformat.excludepromptandliterals; string fax = mskfax.text; mskfax.textmaskformat = maskformat.includeliterals;   cmd.commandtext = "update business set name='" + txtbusname.text + "', contactname='" + txtcontname.text +                 "', address='" + txtaddr1.text + "', city='" + txtcity.text + "', state='" + cmbstate.text + "', zip=" + ((zip=="")?"null":zip) + ", " +                 "mailaddress='" + txtmailaddr1.text + "', mailcity='" + txtmailcity.text + "', mailstate='" + cmbmailstate.text +                 "', mailzipcode=" + ((mailzip == "") ? "null" : mailzip) + ", latitude=" + ((txtlat.text == "") ? "null" : txtlat.text) + ", longitude=" + ((txtlong.text == "") ? "null" : txtlong.text) + ", phone=" +                 ((phone == "") ? "null" : phone) + ", fax=" + ((fax == "") ? "null" : fax) + ", email='" + txtemail.text + "' " +                 "where businessid=" + busid + " , status='a';";  cmd.executenonquery();  messagebox.show("database updated successfully."); this.close();

you need use parameterized query this

cmd.commandtext =          "update business set name=@name, contactname=@contact, address=@address, " +                  "city=@city, state=@state, zip=@zip, " +                 "mailaddress=@mail, mailcity=@ecity, mailstate=@estate, " +                 "mailzipcode=@ezip, latitude=@lat, longitude=@lng, phone=@phone, " +                 "fax=@fax, email=@email " +                 "where businessid=@busid , status='a'";  cmd.parameters.addwithvalue("@name", txtbusname.text); cmd.parameters.addwithvalue("@contact", txtcontname.text);  cmd.parameters.addwithvalue("@address", txtaddr1.text); cmd.parameters.addwithvalue("@city", txtcity.text); cmd.parameters.addwithvalue("@state", cmbstate.text);  sqlparameter p1 = cmd.parameters.add("@zip", sqldbtype.nvarchar); if(zip == "") p1.value = dbnull.value; else p1.value = zip;  cmd.parameters.addwithvalue("@mail",  txtmailaddr1.text); cmd.parameters.addwithvalue("@ecity", txtmailcity.text); cmd.parameters.addwithvalue("@estate", cmbmailstate.text);  p1 = cmd.parameters.add("@ezip", sqldbtype.nvarchar); if (mailzip == "") p1.value = dbnull.value; else p1.value = mailzip;  p1 = cmd.parameters.add("@lat", sqldbtype.nvarchar); if (txtlat.text == "") p1.value = dbnull.value; else p1.value = txtlat.text;  p1 = cmd.parameters.add("@lng", sqldbtype.nvarchar); if (txtlong.text == "") p1.value = dbnull.value; else p1.value = txtlong.text;  p1 = cmd.parameters.add("@phone", sqldbtype.nvarchar); if (phone == "") p1.value = dbnull.value; else p1.value = phone;  p1 = cmd.parameters.add("@fax", sqldbtype.nvarchar); if (fax == "") p1.value = dbnull.value; else p1.value = fax;  cmd.parameters.addwithvalue("@email", txtemail.text ); cmd.parameters.addwithvalue("@busid", busid);

the article linked above worth read start end, however, summarize, using parameterized query let work format single quotes (and numeric decimals , date literals) framework code knows better me , how deal strings , in way avoid dreaded sql injection problem expose database hacking

note: don't know actual datatype columns should set null, have assumed nvarchar. if not case should replace sqldbtype appropriate value.


Comments

Post a Comment

Popular posts from this blog

curl - PHP fsockopen help required -

i trying work on cloudflare api , have found in documentation. unfortunately have no idea how can use in fsockopen or through curl. here example of post request. need know how can make request below data post using curl or fsockopen curl https://www.cloudflare.com/api_json.html -d 'a=cache_lvl' \ -d 'tkn=8afbe6dea02407989af4dd4c97bb6e25' \ -d 'email=sample@example.com' \ -d 'z=example.com' \ -d 'v=agg' here link cloudflare https://www.cloudflare.com/docs/client-api.html#s4.2 try one: $ch = curl_init("https://www.cloudflare.com/api_json.html"); curl_setopt($ch, curlopt_returntransfer,1); curl_setopt($ch, curlopt_followlocation, 1); curl_setopt($ch, curlopt_ssl_verifypeer,false); // handling of -d curl parameter here. $param = array( 'a' => 'cache_lvl', 'tkn' => '8afbe6dea02407989af4dd4c97bb6e25', 'email' => 'sample@example.com', 'z' =>
Read more

HTTP/1.0 407 Proxy Authentication Required PHP -

i working in restricted network/limited access internet. since have use proxy make web service call. here php code calling web service , response . $client = new soapclient("http: //www.xyz.com/abc/wsdls/login.wsdl", array("trace" => 1, "exceptions" => 1, 'proxy_host' => $proxy_host, 'proxy_port' => $proxy_port, 'proxy_login' => $proxy_login, 'proxy_password' => $proxy_password)); response is fatal error: uncaught soapfault exception: [wsdl] soap-error: parsing wsdl: couldn't load ' http://www.xyz.com/abc/wsdls/login.wsdl ' : failed load external entity if copy url error message , paste in browser(with same proxy settings) works. 2nd scenario is, if pass values instead of variables giving me diffarant response $client = new soapclient("http: //www.xyz.com/abc/wsdls/login.wsdl", array("trace" => 1, "exceptions" => 1, 'proxy_host'
Read more

c# - Resource not found error -

i have problem accessing method on homecontroller. show code of method : [httpget] public actionresult decriptidentifiantetredirige(string login_crypter, string mdp_crypter) { string loginacrypter = _globalmanager.protegemotdepasse(login_crypter); string mdpacrypter = _globalmanager.protegemotdepasse(mdp_crypter); user userapp = new models.user(login_crypter, mdp_crypter); if (userapp.authentificationvalidee(userapp.userlogin, userapp.password)) { session["name"] = userapp.userlogin; return redirecttoaction("accueil", "home"); } else { return redirecttoaction("validerauthentification", "home"); } } then in routeconfig.cs wrote route : routes.maproute( name: "authentificationapresdecryptage", url: "{controller}/{action}/{login_crypter}/{mdp_crypter}", defaults: new
Read more