Single and double quotes in Sql Server 2005 insert query

Question

There is single and double quotes in the address textbox .How can I insert into database. I am using SQL2005. My code is as follows...

str = \"exec sp_cust_reg \         


        

Answer 1

One word: DON'T DO IT!

Use parametrized queries instead - those are both safer (no SQL injection) and easier to work with, and perform better, too!

SqlCommand cmd = new SqlCommand("dbo.sp_cust_reg", _connection);
cmd.CommandType = CommandType.StoredProcedure;

// add parameters and their values
cmd.Parameters.Add("@CustID", SqlDbType.Int).Value = customer.Cust_Id;
cmd.Parameters.Add("@Cust_Name", SqlDbType.VarChar, 100).Value = customer.Cust_Name;
 ..... and so on - define all the parameters!

_connection.Open();
cmd.ExecuteNonQuery();
_connection.Close();

Answer 2

You escape ' as ''.

So instead of str.Replace("\'", " ") use str.Replace("'", "''")

Answer 3

You can also use Parameterized queries for giving the values, using the AddWithValue() of Parameters like

SqlCommand cmd = new SqlCommand("dbo.sp_cust_reg",_connection);
cmd.CommandType= CommandType.StoredProcedure;

cmd.Parameters.AddWithValue("@TheDate",customer.Cust_Id);
cmd.Parameters.AddWithValue("@Cust_Name",customer.Cust_Name);

_connection.Open();
cmd.ExecuteNonQuery();
_connection.Close();

Why I am telling to use AddWithValue is - you explicitly set the sqldb.type and SQL knows exactly the dbtype when passed.