Apostrophes Not Handled when Adding to Database using C#

radderfire

radderfire

radderfire

Soldato
Joined
24 Sep 2007
Posts
5,795
Hi Guys

I have some old C# code that I wrote that adds data into a MariaDB using the MySql.Data.MySqlClient namespace.

The problem is I can't add text containing apostrophes into the database properly. I know this is a classic problem, but I can't remember how to fix it, apart from using stored procedures instead, which looks a bit complicated, especially when using MariaDB.

Anyway, my code, and in particular the SQL insert statement, is:

Code: 
 try {

            // Open database connection

            // Technique is passing the connection string to the constructor of the MySqlConnection class
            // Note you have to import the MySql.Data.MySqlClient namespace to be able to use this
            MySqlConnection conn = new MySqlConnection(connStr);
            conn.Open();

            // For testing
            // lblMyTestLabel.Text = "Connection Opened!";

            // Get values from web form

            String BrandName = txtBrandName.Text;
            String BrandDesc = txtBrandDesc.Text;
            String BrandUrl = txtBrandUrl.Text;
            String BrandPage = txtBrandPage.Text;

            // Add the brand


            String SqlInsert = "INSERT into brands (BrandName, BrandDesc, BrandUrl, BrandPage) VALUES ('" + BrandName + "', '" + BrandDesc + "', '" + BrandUrl + "', '" + BrandPage + "')";

            // Create a command to run against the database
            MySqlCommand cmd = new MySqlCommand(SqlInsert);
            // Specify the CommandType for the connection, in this case it's text from a string, not a stored procedure
            cmd.CommandType = System.Data.CommandType.Text;
            // Give the MySQLCommand a connection to use
            cmd.Connection = conn;

            // Execute the non query
            cmd.ExecuteNonQuery();

            // Close the connection
            conn.Close();

            // Hide the form

            formBrandAdd.Visible = false;

            // Confirm done

            lblUserMessage.Text = "Brand added! <a href='brand-add.aspx'>Add another</a>";
            lblUserMessage.BackColor = System.Drawing.Color.LightGreen;

            //For testing
            // lblMyTestLabel.Text = "Yes, that's completed! <a href='brand-add.aspx'>Add another brand</a>";
            // lblMyTestLabel.BackColor = System.Drawing.Color.LightGreen;

        }

What do I need to do to be able to handle apostrophes added in the text fields?

Any suggestions or links to code examples appreciated.

Thanks
 
String literals?

Middle of the document:

learn.microsoft.com

Strings - C# Programming Guide - C#

Learn about strings in C# programming. See information on declaring and initializing strings, the immutability of string objects, and string escape sequences.
learn.microsoft.com

Personally I hate C# so a bit leery of giving anything too specific in case there are things I'm not aware of.
 
Last edited:
This is the line that is the problem:

Code: 
String SqlInsert = "INSERT into brands (BrandName, BrandDesc, BrandUrl, BrandPage) VALUES ('" + BrandName + "', '" + BrandDesc + "', '" + BrandUrl + "', '" + BrandPage + "')";

The problem is happening because I am using ' around the variable values. Before I try anything else, is there a simple amend to this line that would make it work? I know this is a classic problem.

Thanks
 
If I used a prepared statement, would this be the way to get the variables from the form data into it?

Code: 
cmd.Parameters.AddWithValue("@BrandName", BrandName);
 
radderfire said:
Before I try anything else, is there a simple amend to this line that would make it work? I know this is a classic problem.
Click to expand...

No.

You want to do this (untested so I might typo):

C#: 
MySqlCommand cmd = new MySqlCommand();

cmd.CommandText = "INSERT into brands (BrandName, BrandDesc, BrandUrl, BrandPage) VALUES (@BrandName, @BrandDesc, @BrandUrl, @BrandPage)";
cmd.Prepare();

cmd.Parameters.AddWithValue("@BrandName", BrandName);
cmd.Parameters.AddWithValue("@BrandDesc", BrandDesc);
cmd.Parameters.AddWithValue("@BrandUrl", BrandUrl);
cmd.Parameters.AddWithValue("@BrandPage", BrandPage);

cmd.

For some reason the board software won't let me write ExecuteNonQuery(); in the code block.
 
Last edited:
I'm getting there, essentially that has worked, thanks, I just had to add a NULL in as well (something to do with id autoincrement I expect):

Code: 
cmd.CommandText = "INSERT INTO brands VALUES(NULL, @BrandName, @BrandDesc, @BrandUrl, @BrandPage)";
 
The example I was following was slightly different, so I've just checked, and your line worked too, so thanks:

Code: 
cmd.CommandText = "INSERT into brands (BrandName, BrandDesc, BrandUrl, BrandPage) VALUES (@BrandName, @BrandDesc, @BrandUrl, @BrandPage)";
 
radderfire said:
The example I was following was slightly different, so I've just checked, and your line worked too, so thanks:
Click to expand...

Yeah, your first version inserts into all the values in the order they're specified in the table. The one I used just copied how you were doing it in the first pace by inserting into only a selection of values and in a specified order.
 
OK, next question is how do I write a prepared statement for an UPDATE? I have made a guess, which is probably wrong:

Code: 
cmd.CommandText = "UPDATE brands SET (BrandName, BrandDesc, BrandUrl, BrandPage) VALUES (@BrandName, @BrandDesc, @BrandUrl, @BrandPage) WHERE BrandId = (@BrandId2)";

Thanks
 
Last edited:
You write it exactly how you would write the sql statement that you want but with @whatever substituting for each value and without any quotes around the values. You don't change the structure of the query at all, so your SQL needs to look like:

Code: 
UPDATE brands SET BrandName=@BrandName, BrandDesc=@BrandDesc, ... etc ... WHERE BrandId=@BrandId

Just like a normal update.
 
You must log in or register to reply here.
Back
Top Bottom