> Hi,
>
> in my application I add personal information about customers to a database
> by sending a SQL string. Now, sometimes there are customers with names that
> contain an apostrophe (like D'Artienne, etc.). Now, when I create a SQL
> string with such an apostrophe it gets malformatted (like: "insert into
> table1 (Firstname) values ('D'Artienne')" ). So, is there any way to insert a
> name that contains an apostrophe into a table by SQL?
>
>
> Thanks a lot
> peter User submitted from AEWNET (http://www.aewnet.com/)

>
> So in the table the column Firstname stores the value D'Artienne.
>
> Cheers
> T
>
>
> > Hi,
> >
> > in my application I add personal information about customers to a
database
> > by sending a SQL string. Now, sometimes there are customers with names
that
> > contain an apostrophe (like D'Artienne, etc.). Now, when I create a SQL
> > string with such an apostrophe it gets malformatted (like: "insert into
> > table1 (Firstname) values ('D'Artienne')" ). So, is there any way to
insert a
> > name that contains an apostrophe into a table by SQL?
> >
> >
> > Thanks a lot
> > peter
>
> User submitted from AEWNET (http://www.aewnet.com/)

"Angel Saenz-Badillos[MS]" <ange***@online.microsoft.com> wrote in message
news:un$9dGKBFHA.1564@TK2MSFTNGP09.phx.gbl...
> This just cannot be repeated enough times.
> DO NOT  pass in customer data directly into a Sql Query. ALWAYS use
> parameters.
>
> --
> Angel Saenz-Badillos [MS] Managed Providers
> This posting is provided "AS IS", with no warranties, and confers no
> rights.Please do not send email directly to this alias.
> This alias is for newsgroup purposes only.
> I am now blogging about ADO.NET: http://weblogs.asp.net/angelsb/
>
>
>
>
> "Guest" <Guest@aew_nospam.com> wrote in message
> news:eGBVebFBFHA.3336@TK2MSFTNGP11.phx.gbl...
>> You've probably solved this by now. All you have to do is add another
> apostrophe beside the one you'd like to store e.g. insert into table XYZ
> (Firstname) values ('D''Artienne').
>>
>> So in the table the column Firstname stores the value D'Artienne.
>>
>> Cheers
>> T
>>
>>
>> > Hi,
>> >
>> > in my application I add personal information about customers to a
> database
>> > by sending a SQL string. Now, sometimes there are customers with names
> that
>> > contain an apostrophe (like D'Artienne, etc.). Now, when I create a SQL
>> > string with such an apostrophe it gets malformatted (like: "insert into
>> > table1 (Firstname) values ('D'Artienne')" ). So, is there any way to
> insert a
>> > name that contains an apostrophe into a table by SQL?
>> >
>> >
>> > Thanks a lot
>> > peter
>>
>> User submitted from AEWNET (http://www.aewnet.com/)
>
>

"Miha Markic [MVP C#]" <miha at rthand com> wrote in message
news:e0O4TNKBFHA.1992@TK2MSFTNGP10.phx.gbl...
> Hi Angel,
>
> I hope you have this answer in "favorites answers" as it will have to be
> repeated many times :-)
> OTOH, I can imagine a scenario where you might have to pass in a
dynamically
> built WHERE clause instead of parameters:
> IN clause is a very tempting candidate - when there is too many
parameters.
> There are workarounds, but they are all "not that easy" to employ.
>
> As this is very annoying (dealing with parameter lists that is) I can only
> wonder why there is (still) no support for parameter lists even in Yukon.
> Can you shed some light on this?
>
> --
> Miha Markic [MVP C#] - RightHand .NET consulting & development
> SLODUG - Slovene Developer Users Group
> www.rthand.com
>
> "Angel Saenz-Badillos[MS]" <ange***@online.microsoft.com> wrote in message
> news:un$9dGKBFHA.1564@TK2MSFTNGP09.phx.gbl...
> > This just cannot be repeated enough times.
> > DO NOT  pass in customer data directly into a Sql Query. ALWAYS use
> > parameters.
> >
> > --
> > Angel Saenz-Badillos [MS] Managed Providers
> > This posting is provided "AS IS", with no warranties, and confers no
> > rights.Please do not send email directly to this alias.
> > This alias is for newsgroup purposes only.
> > I am now blogging about ADO.NET: http://weblogs.asp.net/angelsb/
> >
> >
> >
> >
> > "Guest" <Guest@aew_nospam.com> wrote in message
> > news:eGBVebFBFHA.3336@TK2MSFTNGP11.phx.gbl...
> >> You've probably solved this by now. All you have to do is add another
> > apostrophe beside the one you'd like to store e.g. insert into table XYZ
> > (Firstname) values ('D''Artienne').
> >>
> >> So in the table the column Firstname stores the value D'Artienne.
> >>
> >> Cheers
> >> T
> >>
> >>
> >> > Hi,
> >> >
> >> > in my application I add personal information about customers to a
> > database
> >> > by sending a SQL string. Now, sometimes there are customers with
names
> > that
> >> > contain an apostrophe (like D'Artienne, etc.). Now, when I create a
SQL
> >> > string with such an apostrophe it gets malformatted (like: "insert
into
> >> > table1 (Firstname) values ('D'Artienne')" ). So, is there any way to
> > insert a
> >> > name that contains an apostrophe into a table by SQL?
> >> >
> >> >
> >> > Thanks a lot
> >> > peter
> >>
> >> User submitted from AEWNET (http://www.aewnet.com/)
> >
> >
>
>

> --
> Angel Saenz-Badillos [MS] Managed Providers
> This posting is provided "AS IS", with no warranties, and confers no
> rights.Please do not send email directly to this alias.
> This alias is for newsgroup purposes only.
> I am now blogging about ADO.NET: http://weblogs.asp.net/angelsb/
>
>
>
>
> "Miha Markic [MVP C#]" <miha at rthand com> wrote in message
> news:e0O4TNKBFHA.1992@TK2MSFTNGP10.phx.gbl...
>> Hi Angel,
>>
>> I hope you have this answer in "favorites answers" as it will have to be
>> repeated many times :-)
>> OTOH, I can imagine a scenario where you might have to pass in a
> dynamically
>> built WHERE clause instead of parameters:
>> IN clause is a very tempting candidate - when there is too many
> parameters.
>> There are workarounds, but they are all "not that easy" to employ.
>>
>> As this is very annoying (dealing with parameter lists that is) I can
>> only
>> wonder why there is (still) no support for parameter lists even in Yukon.
>> Can you shed some light on this?
>>
>> --
>> Miha Markic [MVP C#] - RightHand .NET consulting & development
>> SLODUG - Slovene Developer Users Group
>> www.rthand.com

"Angel Saenz-Badillos[MS]" <ange***@online.microsoft.com> wrote in message
news:uEeUnIjCFHA.2156@TK2MSFTNGP10.phx.gbl...
> Miha,
> I wonder the same thing, I guess the answer is that we have not been able
> to
> come up with a good solution in this space. Do you have any suggestions? I
> would be happy to pass them on.
>
> --
> Angel Saenz-Badillos [MS] Managed Providers
> This posting is provided "AS IS", with no warranties, and confers no
> rights.Please do not send email directly to this alias.
> This alias is for newsgroup purposes only.
> I am now blogging about ADO.NET: http://weblogs.asp.net/angelsb/
>
>
>
>
> "Miha Markic [MVP C#]" <miha at rthand com> wrote in message
> news:e0O4TNKBFHA.1992@TK2MSFTNGP10.phx.gbl...
>> Hi Angel,
>>
>> I hope you have this answer in "favorites answers" as it will have to be
>> repeated many times :-)
>> OTOH, I can imagine a scenario where you might have to pass in a
> dynamically
>> built WHERE clause instead of parameters:
>> IN clause is a very tempting candidate - when there is too many
> parameters.
>> There are workarounds, but they are all "not that easy" to employ.
>>
>> As this is very annoying (dealing with parameter lists that is) I can
>> only
>> wonder why there is (still) no support for parameter lists even in Yukon.
>> Can you shed some light on this?
>>
>> --
>> Miha Markic [MVP C#] - RightHand .NET consulting & development
>> SLODUG - Slovene Developer Users Group
>> www.rthand.com
>>
>> "Angel Saenz-Badillos[MS]" <ange***@online.microsoft.com> wrote in
>> message
>> news:un$9dGKBFHA.1564@TK2MSFTNGP09.phx.gbl...
>> > This just cannot be repeated enough times.
>> > DO NOT  pass in customer data directly into a Sql Query. ALWAYS use
>> > parameters.
>> >
>> > --
>> > Angel Saenz-Badillos [MS] Managed Providers
>> > This posting is provided "AS IS", with no warranties, and confers no
>> > rights.Please do not send email directly to this alias.
>> > This alias is for newsgroup purposes only.
>> > I am now blogging about ADO.NET: http://weblogs.asp.net/angelsb/
>> >
>> >
>> >
>> >
>> > "Guest" <Guest@aew_nospam.com> wrote in message
>> > news:eGBVebFBFHA.3336@TK2MSFTNGP11.phx.gbl...
>> >> You've probably solved this by now. All you have to do is add another
>> > apostrophe beside the one you'd like to store e.g. insert into table
>> > XYZ
>> > (Firstname) values ('D''Artienne').
>> >>
>> >> So in the table the column Firstname stores the value D'Artienne.
>> >>
>> >> Cheers
>> >> T
>> >>
>> >>
>> >> > Hi,
>> >> >
>> >> > in my application I add personal information about customers to a
>> > database
>> >> > by sending a SQL string. Now, sometimes there are customers with
> names
>> > that
>> >> > contain an apostrophe (like D'Artienne, etc.). Now, when I create a
> SQL
>> >> > string with such an apostrophe it gets malformatted (like: "insert
> into
>> >> > table1 (Firstname) values ('D'Artienne')" ). So, is there any way to
>> > insert a
>> >> > name that contains an apostrophe into a table by SQL?
>> >> >
>> >> >
>> >> > Thanks a lot
>> >> > peter
>> >>
>> >> User submitted from AEWNET (http://www.aewnet.com/)
>> >
>> >
>>
>>
>
>

>> OTOH, I can imagine a scenario where you might have to pass in a
> dynamically
>> built WHERE clause instead of parameters:
>> IN clause is a very tempting candidate - when there is too many
> parameters.
>> There are workarounds, but they are all "not that easy" to employ.


"Robbe Morris" <i***@turnkeytools.com> wrote in message
news:#bFdHGMDFHA.1292@TK2MSFTNGP10.phx.gbl...
> I agree with the poster below about "never" doing this.
>
> For a variety of reasons, you have just opened up a major
> security hole in your application even if you successfully
> convert the apostrophes.  You never know which "smart guy"
> will start playing with your application just to prove how smart
> they are and how dumb you are.  You'd be surprised at the
> number of "second cousins" that employees let play with
> their work software/web sites.
>
> The security hole you open up with dynamic sql strings would
> be a cake-walk for any 12 year old who has an ounce of sense
> about programming.
>
> Is this the person you want to introduce to your boss as the
> one who crashed your app or more likely deleted your data?
>
> My intent is not to hurt your feelings, abuse you, or talk down
> to you.  Just to give a wake up call to someone I'm sure works
> their tail off to build great software.  I'd hate to see you get
> embarrased.
>
> I understand some applications may need to have different
> update or insert statements for different situations.  In these
> cases, you could include an extra parameter in your
> stored procedure that dictates which statements to process.
> Include all possible input parameters and ensure that those
> that are optional can be set as null or default values if they
> aren't passed in.
>
> --
> 2005 Microsoft MVP C#
> Robbe Morris
> http://www.masterado.net
> http://www.mastervb.net
>
>
>
>
> "Angel Saenz-Badillos[MS]" <ange***@online.microsoft.com> wrote in message

> news:uEeUnIjCFHA.2156@TK2MSFTNGP10.phx.gbl...
> > Miha,
> > I wonder the same thing, I guess the answer is that we have not been
able
> > to
> > come up with a good solution in this space. Do you have any suggestions?
I
> > would be happy to pass them on.
> >
> > --
> > Angel Saenz-Badillos [MS] Managed Providers
> > This posting is provided "AS IS", with no warranties, and confers no
> > rights.Please do not send email directly to this alias.
> > This alias is for newsgroup purposes only.
> > I am now blogging about ADO.NET: http://weblogs.asp.net/angelsb/
> >
> >
> >
> >
> > "Miha Markic [MVP C#]" <miha at rthand com> wrote in message
> > news:e0O4TNKBFHA.1992@TK2MSFTNGP10.phx.gbl...
> >> Hi Angel,
> >>
> >> I hope you have this answer in "favorites answers" as it will have to
be
> >> repeated many times :-)
> >> OTOH, I can imagine a scenario where you might have to pass in a
> > dynamically
> >> built WHERE clause instead of parameters:
> >> IN clause is a very tempting candidate - when there is too many
> > parameters.
> >> There are workarounds, but they are all "not that easy" to employ.
> >>
> >> As this is very annoying (dealing with parameter lists that is) I can
> >> only
> >> wonder why there is (still) no support for parameter lists even in
Yukon.
> >> Can you shed some light on this?
> >>
> >> --
> >> Miha Markic [MVP C#] - RightHand .NET consulting & development
> >> SLODUG - Slovene Developer Users Group
> >> www.rthand.com
> >>
> >> "Angel Saenz-Badillos[MS]" <ange***@online.microsoft.com> wrote in
> >> message
> >> news:un$9dGKBFHA.1564@TK2MSFTNGP09.phx.gbl...
> >> > This just cannot be repeated enough times.
> >> > DO NOT  pass in customer data directly into a Sql Query. ALWAYS use
> >> > parameters.
> >> >
> >> > --
> >> > Angel Saenz-Badillos [MS] Managed Providers
> >> > This posting is provided "AS IS", with no warranties, and confers no
> >> > rights.Please do not send email directly to this alias.
> >> > This alias is for newsgroup purposes only.
> >> > I am now blogging about ADO.NET: http://weblogs.asp.net/angelsb/
> >> >
> >> >
> >> >
> >> >
> >> > "Guest" <Guest@aew_nospam.com> wrote in message
> >> > news:eGBVebFBFHA.3336@TK2MSFTNGP11.phx.gbl...
> >> >> You've probably solved this by now. All you have to do is add
another
> >> > apostrophe beside the one you'd like to store e.g. insert into table
> >> > XYZ
> >> > (Firstname) values ('D''Artienne').
> >> >>
> >> >> So in the table the column Firstname stores the value D'Artienne.
> >> >>
> >> >> Cheers
> >> >> T
> >> >>
> >> >>
> >> >> > Hi,
> >> >> >
> >> >> > in my application I add personal information about customers to a
> >> > database
> >> >> > by sending a SQL string. Now, sometimes there are customers with
> > names
> >> > that
> >> >> > contain an apostrophe (like D'Artienne, etc.). Now, when I create
a
> > SQL
> >> >> > string with such an apostrophe it gets malformatted (like: "insert
> > into
> >> >> > table1 (Firstname) values ('D'Artienne')" ). So, is there any way
to
> >> > insert a
> >> >> > name that contains an apostrophe into a table by SQL?
> >> >> >
> >> >> >
> >> >> > Thanks a lot
> >> >> > peter
> >> >>
> >> >> User submitted from AEWNET (http://www.aewnet.com/)
> >> >
> >> >
> >>
> >>
> >
> >
>
>