HighTechTalks DotNet Forums  

Apostrophes

Go Back HighTechTalks DotNet Forums Microsoft DotNet Framework Dotnet Framework (ADO.net) Apostrophes

Dotnet Framework (ADO.net) microsoft.public.dotnet.framework.adonet


Discuss Apostrophes in the Dotnet Framework (ADO.net) forum.



Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old   
Fred Chateau
 
Posts: n/a

Default Apostrophes - 09-07-2007 , 08:09 PM





What is the proper way of handling apostrophes in parameter strings for
stored procedures?

--
Regards,

Fred Chateau
fchateauAtComcastDotNet



Reply With Quote
  #2  
Old   
Roy Harvey
 
Posts: n/a

Default Re: Apostrophes - 09-07-2007 , 08:36 PM





Replace each single quote character ' the is embedded in the string
with TWO of that character.

SELECT 'O''Hara'

----------
O'Hara

Roy Harvey
Beacon Falls, CT

On Fri, 7 Sep 2007 19:09:59 -0500, "Fred Chateau" <fchateau (AT) 127 (DOT) 0.0.1>
wrote:

Quote:
What is the proper way of handling apostrophes in parameter strings for
stored procedures?

Reply With Quote
  #3  
Old   
Erland Sommarskog
 
Posts: n/a

Default Re: Apostrophes - 09-08-2007 , 08:01 AM


Fred Chateau (fchateau (AT) 127 (DOT) 0.0.1) writes:
Quote:
What is the proper way of handling apostrophes in parameter strings for
stored procedures?
If the question is how to it in application code, the answer is that it
should never be an issue. You should never send EXEC strings, but use
RPC calls and create parameters with CreateParameter, AddParameter or
whatever method your client API provides.


--
Erland Sommarskog, SQL Server MVP, esquel (AT) sommarskog (DOT) se

Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/pro...ads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodinf...ons/books.mspx


Reply With Quote
  #4  
Old   
William \(Bill\) Vaughn
 
Posts: n/a

Default Re: Apostrophes - 09-09-2007 , 10:24 PM


Ah, no. The Parameters passed to a stored procedure (or even a parameterized
query) can only safely be managed with a Command Object's Parameters
collection. In this case you pass the string (which might contain an
apostrophy) to the Parameter.Value property--ADO (or ADO.NET) handles the
issue (and several others) automatically. If you are in a position to use
the Replace method (changing single apostrophys for two), your code is
subject to SQL injection attacks--a very common failing.

--
____________________________________
William (Bill) Vaughn
Author, Mentor, Consultant
Microsoft MVP
INETA Speaker
www.betav.com/blog/billva
www.betav.com
Please reply only to the newsgroup so that others can benefit.
This posting is provided "AS IS" with no warranties, and confers no rights.
__________________________________
Visit www.hitchhikerguides.net to get more information on my latest book:
Hitchhiker's Guide to Visual Studio and SQL Server (7th Edition)
and Hitchhiker's Guide to SQL Server 2005 Compact Edition (EBook)
-----------------------------------------------------------------------------------------------------------------------
"Roy Harvey" <roy_harvey (AT) snet (DOT) net> wrote

Quote:
Replace each single quote character ' the is embedded in the string
with TWO of that character.

SELECT 'O''Hara'

----------
O'Hara

Roy Harvey
Beacon Falls, CT

On Fri, 7 Sep 2007 19:09:59 -0500, "Fred Chateau" <fchateau (AT) 127 (DOT) 0.0.1
wrote:

What is the proper way of handling apostrophes in parameter strings for
stored procedures?


Reply With Quote
Reply

« Previous Thread | Next Thread »



Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Powered by vBulletin Version 3.5.4
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.


Contact Us - HighTechTalks DotNet Forums - Archive - Top