Click here to Skip to main content
15,891,757 members
Search within:


How to insert special chracter in SQL datbase through web service
Please Sign up or sign in to vote.
1.00/5 (1 vote)
See more:
C#
database
 
[OperationContract]
       [WebInvoke( Method="*",UriTemplate = "/insert/{src}/{input}/" ,RequestFormat = WebMessageFormat.Json, ResponseFormat = WebMessageFormat.Json, BodyStyle = WebMessageBodyStyle.Wrapped)]
       string insert(string src,string input);


What I have tried:

con.Open();
string q = "insert into log(@code,@input) values ('" + src.ToString()+ "','" + input.ToString() + "')";
                SqlCommand cmd = new SqlCommand(q,con);
                cmd.ExecuteNonQuery();
Posted
Updated 4-Apr-18 1:26am
Add a Solution
Comments
Afzaal Ahmad Zeeshan 4-Apr-18 8:21am    
What is the problem, can you be more specific? Is the data being stored, or not at all?

3 solutions

The problem with your query is that you're concatenating the values to the SQL statement. This leaves you open to SQL injections and introduces for example conversion problems.

The correct way to do this is to use SqlParameter Class (System.Data.SqlClient)[^]

Also you don't specify the @ sign for the column names, unless they really contain it. The syntax is
SQL
INSERT INTO (ColumnName, ColumnName, ...) VALUES (@ParameterName, @ParameterName, ...)

For more details, have a look at Properly executing database operations[^]
 
Share this answer
 
Posted
Updated 3-Apr-18 18:12pm
v3
C#
string q = "insert into log(@code,@input) values ('" + src.ToString()+ "','" + input.ToString() + "')";

possibly a solution to your question.
Never build an SQL query by concatenating strings. Sooner or later, you will do it with user inputs, and this opens door to a vulnerability named "SQL injection", it is dangerous for your database and error prone.
A single quote in a name and your program crash. If a user input a name like "Brian O'Conner" can crash your app, it is an SQL injection vulnerability, and the crash is the least of the problems, a malicious user input and it is promoted to SQL commands with all credentials.
SQL injection - Wikipedia[^]
SQL Injection[^]
SQL Injection Attacks by Example[^]
PHP: SQL Injection - Manual[^]
SQL Injection Prevention Cheat Sheet - OWASP[^]
 
Share this answer
 
Posted
By using parameters you will be able to insert the special characters. For example:
C#
private void InsertMethod(string code, string input)
{
  using (var conn = new SqlConnection(ConnectionString))
  {
    con.Open();
    var myQuery = "insert into [log] ([code],[input]) values (@code, @input)";
    var paramCode = new SqlParameter("@code", SqlDbType.NVarChar) {Value = code};
    var paramInput = new SqlParameter("@input", SqlDbType.NVarChar) {Value = input};     
    using (var cmd = new SqlCommand(myQuery conn))
    {
      cmd.Parameters.Add(paramCode);
      cmd.Parameters.Add(paramInput);

      cmd.ExecuteNonQuery()
    }
  }
}
In this example I use the SqlDbType.NVarChar. You can use a whole series of types that of course should match you table structure.
 
Share this answer
 
Posted
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
Insert and delete in sql datbase and gridvew
How to remove the "?" this special chracter from xml file
Special attribute for disjoint table
insert the special charactor in sql server
in datbase dropdownlist selected value is not saved in the datbase
How to Insert Special Characters Into SQL
insert query with special characters in sql server 2008
How can I insert a special character in sql server
insert special characters in sql in bulk from excel
updating datbase using datatable

Advertise
Privacy
Cookies
Terms of Use
Last Updated 4 Apr 2018
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web04 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900