problem with single quote

[daimous]

hi pals!!! i have an encryption/decryption method sometimes the encrypted string has a single quote like this

Code:

E'å³

now my problem is everytime I execute query to insert that string into my database it always gives me an error message saying

Incorrect syntax near 'åÂ'.
Unclosed quotation mark after the character string ')'.

is there any posible solution for this? thanks in advance!!!

[jmcilhinney]

How exactly are you inserting this data? Are you using parameters like you should be, or are you using string concatenation to build up a literal SQL statement?

[daimous]

im using string concatenation....

Code:

encPswrd = RndCrypt(txtNewPassword.Text, txtNewUsername.Text.ToUpper());
qryStr = @"insert into users values('" + txtNewUsername.Text.ToUpper() + "','" + encPswrd + "','" + restriction + "')";
sqlCmd = new SqlCommand(qryStr, sqlConn);
sqlCmd.ExecuteNonQuery();

is there a better way to perform the above code?

[jmcilhinney]

Using string concatenation to build SQL statements is a bad idea for several reasons and this is just one of them. Use parameters wherever possible.

Code:

qryStr = "INSERT INTO Users (UserName, EncPswrd, Restriction) VALUES (@UserName, @EncPswrd, @Restriction)";
sqlCmd = new SqlCommand(qryStr, sqlConn);
sqlCmd.Parameters.AddWithValue("@UserName", txtNewUsername.Text.ToUpper());
sqlCmd.Parameters.AddWithValue("@EncPswrd", encPswrd);
sqlCmd.Parameters.AddWithValue("@Restriction", restriction);

[daimous]

Ok..i'll try your example..thanks!!

[daimous]

great!!! it works! thanks!

[jmcilhinney]

Cool. Don't forget to resolve your thread from the Thread Tools menu.