When users enter text into a textbox, to be INSERTed into my table, SQL Server throws an error if their text contains a single quote.
For example, if they enter "It's great!" then it causes this error:
Error: Incorrect syntax near 's'. Unclosed quotation mark after the character string ''.
How can I allow text with single quotes to be inserted into the table?
Here's my code:
string strInsert = "INSERT INTO [Comments] ([GameID], [UserID], [Comment]) VALUES (@.GameID, @.UserID, @.Comment)";
SqlConnection myConnection = new SqlConnection(<<myconnectionstuff>>);
SqlCommand myCommand = new SqlCommand(strInsert, myConnection);
myCommand.Parameters.Add( "@.GameID", Request.QueryString["GameID"] );
myCommand.Parameters.Add( "@.UserID", (string)Session["UserID"] );
myCommand.Parameters.Add( "@.Comment", ThisUserCommentTextBox.Text );
try {
myCommand.Connection.Open();
myCommand.ExecuteNonQuery();
}
catch (SqlException ex) {
ErrorLabel.Text = "Error: " + ex.Message;
}
finally {
myCommand.Connection.Close();
}
You write C# so they are called string literals in C# but in ANSI SQL they are Delimiters per ANSI SQL 92 and SQL Server is compliant so run a search for Qouted Identifier in SQL Server BOL(books online) and try the link below for SQL Server Delimiters. Hope this helps.
http://msdn2.microsoft.com/en-gb/library/ms176027.aspx
|||That code looks fine. Are you sure that is where the problem is?|||(How can I allow text with single quotes to be inserted into the table?)
The person have not posted the code with the error but I replied the above and the error generated.
|||
Motley:
That code looks fine. Are you sure that is where the problem is?
Well it works fine unless I include a single quote in the text box somewhere.
Caddre, I've researched some more based on your reply, but I don't have easy access to the SQL Server settings - I'm on a shared hosting account. Is there some other workaround, maybe using a regular expression to replace a single quote with something else, at least temprarily while I'm processing the text? I tried entering /' instead, to see if an escape character would work, but SQL Server still won't take it.
|||
Yes there is SET QUOTED_IDENTIFIER ON/OFF will help you deal with it. Try the link below for details.
http://msdn2.microsoft.com/en-US/library/ms174393.aspx
|||
Yes there is SET QUOTED_IDENTIFIER ON/OFF will help you deal with it. Try the link below for details.
http://msdn2.microsoft.com/en-US/library/ms174393.aspx
I'm wondering how to send the "SET QUOTED_IDENTIFIER ON" command within my ASP.NET page.
I'm using a command called ExecuteNonQuery(); -- so does that mean I can just append it to the beginning of my INSERT string, like this?
string strInsert = "SET QUOTED_IDENTIFIER ON GO INSERT INTO [Comments] ([GameID], [UserID], [Comment]) VALUES ..."
Does it last only during this query or will it stay on somehow until I turn it off?
Sorry, I'm a newbie with SQL Server and ASP.NET.
Yes, I understand. It should work fine for any value you place within the textbox control. That includes quotes. I do this quite often with no problems.
As for can you put the SET statement before your query, the answer is yes, but do not separate the commands with GO. You may place a semi-colon between them if you want to however, like:
SET {stuff}; SELECT {stuff}
|||OK, I am trying to make sense of this, and it's just not making any sense to me. (I have limited experience with SQL and SQL Server and VBScript; I paid a programmer to write a script and after delivering a partly-working script, he promised to fix it and then disappeared. I think he couldn't solve this problem himself.)
I am getting the error message "Unclosed quotation mark after the character string" when I execute this SQL statement from VBScript, butno error when I execute the same SQL statement from within SQL Management Studio. Any suggestions would be extremely welcome.
INSERT INTO Raw_Datafeeds (ProductID,Name,MerchantID,Merchant,Link,Thumbnail,BigImage,Price,RetailPrice,Category,SubCategory,Description,Custom1,Custom2,Custom3,Custom4,Custom5,LastUpdated,Status,Last_Loaded)
VALUES
('454848129','Healthy Ears Ear Cleanser - Buy 2 Get 1 Free','10052',
'Pet Nutrition Products','http://www.shareasale.com/m-pr.cfm?merchantID=10052&userID=YOURUSERID&productID=454848129',
'http://www.petnutritionproducts.com/images/products/100/cat_ears.jpg',
'http://www.petnutritionproducts.com/images/products/400/cat_ears.jpg',15.98,0,'Home/Family','Pets',
'Healthy Ears Ear Cleanser is a veterinarian formulated combination of gentle ingredients that aid in the removal of dirt, wax and other unwanted matter from your cat''s ears.',
'Dog','Ear Care',' ',' ',' ','6/6/2006 1:35:01 AM','instock','10/25/2006 4:06:00 PM')
The original problem in this thread could probably be solved by specifying the type of each parameter rather than letting the system guess.
As for mark's problem, it's obviously related to "cat''s" in your insert string, however since you haven't posted the code you are using in VBScript, it'd be difficult to say where the problem is. As a quick hack, you can replace all quotes in any parameter with '+CHAR(39)+' so that cat's would then become cat'+CHAR(39)+'s.
jpsR1 wrote: