how to allow special characters in a textbox with text and specil characters?

Question

1.00/5 (1 vote)

See more:

i have a textbox..when iam entering some text with special characters it is giving error...for example., "ari's @re in the'"...it is giving error in sql syntax(since iam displaying that text in a grid view using SQLConnection)

bool result = false;
            DataSet LocalDS = TSDS;
            OdbcConnection ConObj = null;
            OdbcCommand CmdObj = null;
            try
            {
                ConObj = new OdbcConnection(ConnString);
                ConObj.Open();
                if (LocalDS.Tables[0].Rows.Count != 0)
                {
                    DateTime dt;
                    string date;
                    foreach (DataRow dr in TSDS.Tables[0].Rows)
                    {
                        dt = Convert.ToDateTime(dr["Date"]);
                        date = dt.Year + "-" + dt.Month + "-" + dt.Day;
                        CmdObj = new OdbcCommand("insert into Record_table(Emp_name, Dates, Hours, Task , Client , project, Comments, TeamMemberType)" +
                            "values('" + Emp_name + "', '" + date + "'," + dr[4] + ",'" + dr[2] + "' ,'" + dr[0] + "' ,'" + dr[1] + "','" + dr[6] + "','" + dr[5] + "')", ConObj);
                        CmdObj.ExecuteNonQuery();
                        result = true;
                    }
                }
                else { result = false; }
            }
// the comments part is having special characters in its text..that is giving problem

Posted 24-Jan-14 3:11am

ahmed ali mohd

Updated 24-Jan-14 18:33pm

Sampath Lokuge

v2

Add a Solution

Comments

Sampath Lokuge 24-Jan-14 9:23am

Can you put your code snippet ?

ahmed ali mohd 25-Jan-14 0:30am

bool result = false;
DataSet LocalDS = TSDS;
OdbcConnection ConObj = null;
OdbcCommand CmdObj = null;
try
{
ConObj = new OdbcConnection(ConnString);
ConObj.Open();
if (LocalDS.Tables[0].Rows.Count != 0)
{
DateTime dt;
string date;
foreach (DataRow dr in TSDS.Tables[0].Rows)
{
dt = Convert.ToDateTime(dr["Date"]);
date = dt.Year + "-" + dt.Month + "-" + dt.Day;
CmdObj = new OdbcCommand("insert into Record_table(Emp_name, Dates, Hours, Task , Client , project, Comments, TeamMemberType)" +
"values('" + Emp_name + "', '" + date + "'," + dr[4] + ",'" + dr[2] + "' ,'" + dr[0] + "' ,'" + dr[1] + "','" + dr[6] + "','" + dr[5] + "')", ConObj);
CmdObj.ExecuteNonQuery();
result = true;
}
}
else { result = false; }
}
// the comments part is having special characters in its text..that is giving problem

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Stephen Hewison · Accepted Answer · 2014-01-24T03:35:00

You're most likely writing in-line SQL

if you write an SQL statement in c# such as:

C#

string SQL = "SELECT * FROM TableA WHERE Field a like '" + input + "'"

It means anything in the input which breaks to quotes is going to create a syntax error.

For this very purpose ADO.Net and parameters allow you to negate the problem of escaping your input values.

C#

IDbCommand cmd = new connection.CreateCommand();
cmd.CommandText = "string SQL = "SELECT * FROM TableA WHERE Field a like @input"";
IDbDataParameter param = cmd.CreateParameter();
param.ParameterName = "@input";
param.DbType = DbTypes.String;
cmd.Parameters.Add(param);

IDataReader reader = cmd.ExecuteReader();

Using this approach where you let ADO manage adding your input through parameters will resolve you problems.

Also, using in-line SQL creates a large security risk. Consider the following input.

';GO;DELETE FROM TableA;GO;

A statement like this inserted using in-line SQL has the potential to do damage. This type of attack is called an SQL Injection Attack

SQL Injection[^]

Karthik_Mahalingam · Accepted Answer · 2014-01-25T09:42:00

Try using Parameterized query , it saves the DB from SQL_injection[^]

C#

CmdObj = new OdbcCommand("insert into Record_table(Emp_name, Dates, Hours, Task , Client , project, Comments, TeamMemberType)" +
                           "values( @Emp_name,@Dates, @Hours, @Task , @Client , @project, @Comments, @TeamMemberType", ConObj)

           CmdObj.Parameters.AddWithValue("@Emp_name", Emp_name);
           CmdObj.Parameters.AddWithValue("@Dates", date);
           CmdObj.Parameters.AddWithValue("@Hours", dr[4]);
           CmdObj.Parameters.AddWithValue("@Task", dr[2]);
           CmdObj.Parameters.AddWithValue("@Client", dr[0]);
           CmdObj.Parameters.AddWithValue("@project", dr[1]);
           CmdObj.Parameters.AddWithValue("@Comments", dr[6]);
           CmdObj.Parameters.AddWithValue("@TeamMemberType", dr[5]);

how to allow special characters in a textbox with text and specil characters?

2 solutions

Solution 1

Solution 2

Add your solution here

Preview 0