> Hi All,
>
> What is the good way to handle a string which contains characters
> like single quote (') or square bracket with LIKE ([]), while
> building a SQL statement. Right now iam searching these characters in
> the string and adding the escape chars for that.
>
> eg 1: (This will fail to search)
>
> String* searchVal = S"Test'quote";
> String* str = S"";
> str = String::Format(S"Select * from t1 where c1 = '{0}'",
> searchVal);
>
> eg 2: (so i need to add a extra ' in the string)
> String* searchVal = S"Test''quote";
>
> Any other solutions for this

"Frans Bouma [C# MVP]" wrote:

> Hari wrote:
>
> > Hi All,
> >
> > What is the good way to handle a string which contains characters
> > like single quote (') or square bracket with LIKE ([]), while
> > building a SQL statement. Right now iam searching these characters in
> > the string and adding the escape chars for that.
> >
> > eg 1: (This will fail to search)
> >
> > String* searchVal = S"Test'quote";
> > String* str = S"";
> > str = String::Format(S"Select * from t1 where c1 = '{0}'",
> > searchVal);
> >
> > eg 2: (so i need to add a extra ' in the string)
> > String* searchVal = S"Test''quote";
> >
> > Any other solutions for this
>
>     never concat values into a query. Use a parameter like this:
> str = S"SELECT * FROM t1 WHERE C1=@param";
>
> and then create a new parameter:
> SqlParameter* param = new SqlParameter();
> // fill in parameter's properties here.
> // add it to the SqlCommand object:
> cmd.Parameters.Add(param);
>
>         FB
>
>
> --
> ------------------------------------------------------------------------
> Get LLBLGen Pro, productive O/R mapping for .NET: http://www.llblgen.com
> My .NET blog: http://weblogs.asp.net/fbouma
> Microsoft MVP (C#)
> ------------------------------------------------------------------------
>

"Hari" wrote:

> Thanks Frans, Also Iam is works if use 'LIKE' within a where clause?  (Iam
> not sure about using wild characters within a param object???)
> eg.
>
> SELECT * from t1 WHERE c1 LIKE @param
>
> Hari
>
>
> "Frans Bouma [C# MVP]" wrote:
>
> > Hari wrote:
> >
> > > Hi All,
> > >
> > > What is the good way to handle a string which contains characters
> > > like single quote (') or square bracket with LIKE ([]), while
> > > building a SQL statement. Right now iam searching these characters in
> > > the string and adding the escape chars for that.
> > >
> > > eg 1: (This will fail to search)
> > >
> > > String* searchVal = S"Test'quote";
> > > String* str = S"";
> > > str = String::Format(S"Select * from t1 where c1 = '{0}'",
> > > searchVal);
> > >
> > > eg 2: (so i need to add a extra ' in the string)
> > > String* searchVal = S"Test''quote";
> > >
> > > Any other solutions for this
> >
> >     never concat values into a query. Use a parameter like this:
> > str = S"SELECT * FROM t1 WHERE C1=@param";
> >
> > and then create a new parameter:
> > SqlParameter* param = new SqlParameter();
> > // fill in parameter's properties here.
> > // add it to the SqlCommand object:
> > cmd.Parameters.Add(param);
> >
> >         FB
> >
> >
> > --
> > ------------------------------------------------------------------------
> > Get LLBLGen Pro, productive O/R mapping for .NET: http://www.llblgen.com
> > My .NET blog: http://weblogs.asp.net/fbouma
> > Microsoft MVP (C#)
> > ------------------------------------------------------------------------
> >

"Hari" <H***@discussions.microsoft.com> wrote in message
news:ED8DA845-592D-4CF0-8B6D-0ED0D18BB638@microsoft.com...
> Thanks Frans, Also Iam is works if use 'LIKE' within a where clause?  (Iam
> not sure about using wild characters within a param object???)
> eg.
>
> SELECT * from t1 WHERE c1 LIKE @param
>
> Hari


>> never concat values into a query. Use a parameter like this:
>> str = S"SELECT * FROM t1 WHERE C1=@param";
>>