I need to insert '' (2 apostrophes) into a column.
Just the apostrophes without any text.
But I end up inserting \'\' (apostrophes with backslashes)
NpgsqlCommand Cmd = new NpgsqlCommand("INSERT into Table(Col) VALUES(#value), conn);
Cmd.Parameters.AddWithValue("#value", "''");
Cmd.ExecuteNonQuery();
Result: \'\' Appears in my table.
If I use less or more apostrophes it inserts fine but I need exactly 2 and then for some reason backslashes appear.
There seems to be a lot of confusion in the results above.
Npgsql does not perform any escaping in parameters, because they are sent out of band and are not treated in SQL. If your parameter value contains a C# string with two apostrophes, that is what will get inserted into the database.
After running your code above and using psql, I get the following:
var cmd = new NpgsqlCommand("INSERT into foo (name) VALUES (#value)", conn);
cmd.Parameters.AddWithValue("#value", "''");
cmd.ExecuteNonQuery();
npgsql_tests=# select * from foo;
name
------
''
(1 row)
Maybe pgadmin shows values with backslashes - I don't know - but that would be a display issue.
Finally, if you really want to insert a constant value (as opposed to a user-provided one), there's no reason to use parameters. Just embed your value in SQL:
INSERT INTO foo (name) VALUES ('''''');
There are six apostrophes in there: 2 as the string delimiters, and two more escaped apostrophes (in SQL, '' is the escaped form of a single literal apostrophe).
However, if you're reading input from the user, definitely use a parameter.
Try to double up each apostrophe.
Cmd.Parameters.AddWithValue("value", "''''");
Adding an empty text box and using it's text value somehow let's me insert the double apostrophes.
So the answer would be
NpgsqlCommand cmd = new NpgsqlCommand (INSERT into Table (Col) VALUES (#value);
Cmd.Parameters.AddWithValue("#value", textBox1.text);
Cmd.ExecuteNonQuery();
Where texBox1 is just an empty text box.
Probably not the best way of doing this but it works for now.
Related
The problem is when user insert non-Latin word to database, if collation not set to that alphabet, the word comes like '?????' But if user insert word like N'word' or I select it like N'word' there is no problem.I use hastable function on C# side so is there any solution for use N'word' format automaticly or must I use N before text everytime I call function?I already use NVARCHAR format by the way.
The simple way to ask;I don't want to use N'word' format every time when I select item from database.Is there any trigger, stored procedure or function for add automaticly N before text I select.
You shouldn't use the N'word' format at all, you should use parameters. When you concatenate values into a string to create a query, it's wide open to SQL injection attacks unless you managage to escape all input exactly right.
Put parameters in the query and add the values to the Parameters collection of the command. Example:
string query = "select Id from Persons where Name = #Name";
using (SqlCommand cmd = new SqlCommand(query, connection)) {
cmd.Parameters.Add('#Name', SqlDbType.NVarChar, 50).value = name;
using (SqlDataReader reader = cmd.ExecuteReader()) {
while (reader.Read()) {
...
}
}
}
Using unicode types like NVarChar for the parameter ensures that the parameter value is sent as unicode, equivalent to the N'word' format.
Why don't you use some sort of ORM. Dapper is a lightweight ORM:
https://github.com/StackExchange/dapper-dot-net
It will solve your problems with parameter passing if this is the troubles you are having
I am working on a C# windows form which is connected to MySQL and updates strings within the form. I have everything working properly except for a small issue.
Say you want to update the "notes" field to read "The dog's bone", that apostrophe is causing the SQL query to end and cause an error. How can I get around this please?
UPDATE `database`
SET `notes` = 'The dog's bone'
WHERE `Pet` = 'Dog';
Thanks!
You can escape ' character in MySQL with doubling it like ''.
Other than that, if you use parameterized queries, you will not need this at all. Just pass your The dog's bone string directly to your parameterized query and you will be fine.
Also I strongly suspect you try to use UPDATE instead of SELECT statement. In MySQL, SELECT syntax doesn't have any SET part.
And using a reserved keyword as a column name is a bad idea. As a best practice, change your database column name to non-reserved word.
using(var con = new MySqlConnection(conString))
using(var cmd = con.CreateCommand())
{
cmd.CommandText = #"UPDATE `database` SET notes = #notes
WHERE Pet = #pet";
cmd.Parameters.AddWithValue("#notes", "The dog's bone");
cmd.Parameters.AddWithValue("#pet", "Dog");
con.Open();
cmd.ExecuteNonQuery();
}
I used AddWithValue method as an example in my code since I didn't know your column types but you don't use it. This method may generate unexpected and surprising results sometimes. Use Add method overloads to specify your parameter type and it's size.
Escape it with another single quote ':
SELECT `database`
SET `notes` = 'The dog''s bone'
WHERE `Pet` = 'Dog';
I have an insert statement that takes the raw text from text area and stores it. We only allow editing the same value and not display them.
During the insert the newline along with slash [abc\\ndef] is removed for some reason by SQL Server. So what is the C# solution to this?
Insert Statement
INSERT INTO Comments (Comment) VALUES (#clientValue)
where comment is the column name and #clientValue contains the string abc\\ndef when viewed in the Visual Studio debugger
Demonstration
SELECT 'abc\
def' AS ColumnResult;
C# Command Snippet
SqlCommand cmd = new SqlCommand();
cmd.CommandText = "INSERT INTO Comments(Comment) VALUES (#clientValue)"
cmd.Connection = conn;
SqlParameter param = new SqlParameter();
param.ParameterName = "#clientValue";
param.Value = txtComment.Text;
cmd.Parameters.Add(param);
conn.open();
execute the statement here
running above statement the \ and \n newline from the textarea are getting removed. How do I avoid this?
What is the column type for the storage column? If it is varchar or text then change it to nvarchar/ntext.
If any of that doesn’t work you can simply replace /n with something like or use html but it would require that you update the string before storing it in database and before adding it back to textarea. This is far from ideal solution but it would work.
Please help me to store apostrophe. I m creating a website (C#, .net, SQL Server) and want to have a message box for the users but the problem is that when I inserts any message such as John's it shows an error near ''s'.
Please tell me how could I store apostrophe in database
I used nvarchar, varchar and everything but failed to store apostrophe containing messages.
A general solution is to write message with double apostrophe but this is not a solution for a website
You are open for SQL-Injection. Don't concatenate strings to build your query. Instead use SQL-Parameters. That also makes your code more readable and prevents errors like yours.
Here's an example:
int amt;
using (var con = new SqlConnection(ConnectionString)) {
var sql = "INSERT INTO dbo.Message(UserID, Message) VALUES(#UserID, #Message);";
using (var cmd = new SqlCommand(sql, con)) {
cmd.Parameters.AddWithValue("#UserID", userID); // passed as argument
cmd.Parameters.AddWithValue("#Message", txtMessage.Text); // f.e. "John's"
con.Open();
int inserted = cmd.ExecuteNonQuery();
}
}
The same works also with other sql like UPDATE commands.
The problem is that you need to escape Apostrophe by another Apostrophe.
For example have a look at:http://sqlfiddle.com/#!3/d2f75/1
CREATE TABLE tblTEst( col1 NVARCHAR(50))
INSERT INTO tblTest
(Col1)
SELECT 'John''s'
The best solution is to use a prepared statement (or whatever the equivalent in C# is) where your SQL only contains placeholders and you pass the actual values through a different method.
In a character literal, the single quote ' can be used by simply doubling it:
insert into foo (bar)
values
('John''s');
use CHAR(39)between john & s like this: 'john'+CHAR(39)+'s'
If I want to insert a statement which contains quotation mark, how is it possible ?
For Example I have a text box and I enter:
Future Swami Vivekananda’s grand father's name was "____" .
If you use properly parameterized statements, you shouldn't need to worry about it. Something like this (though please don't learn C# techniques from me):
string sql = #"UPDATE dbo.table SET col = #p1 WHERE ...;";
string myString = #"hello'foo""bar";
SqlCommand cmd = new SqlCommand(sql, conn);
cmd.CommandType = CommandType.Text;
cmd.Parameters.Add("#p1", SqlDbType.VarChar, 30).Value = myString;
(Though you really should be using stored procedures.)
If you are building your strings manually (which you really, really, really shouldn't be doing), you need to escape string delimiters by doubling them up:
INSERT dbo.tbl(col) VALUES('hello''foo"bar');
Use a parameterized query - then quotes don't matter at all. Also - your database doesn't get taken over by SQL injection - so win/win really.
You can double up the quote:
INSERT INTO table
VALUES ('Future Swami Vivekananda''s grand father''s name was "____"')