CODEWITHSUNDEEP
c#asp.net
Rocky
Rocky

Reputation: 4524

getting error while replacing the single quotes from text

I have a text box with tinyMCE editor, i am giving some text from that text box with single quotes, but in query it is showing syntax error

I am trying to remove the single quotes by this 

txbCaption.Text = txbCaption.Text.Replace("'", "''");

and my query

public void UpdateCaptions(Hashtable hashtable)
        {
            if (hashtable != null)
            {
                foreach (int key in hashtable.Keys)
                {
                    string query = "update Image set Description='" + hashtable[key] + "' where Id=" + key;
                    // in this query i am getting error
                    SqlHelper.ExecuteNonQuery(Conn, CommandType.Text, query);
                }
            }
       }

first i am calling replace Text.Replace("'", "''");
after that i am assigning this to 

if (ViewState["imgIdCapHtbl"] != null)
     imgIdCapHtbl = (Hashtable)ViewState["imgIdCapHtbl"];
int index = Convert.ToInt32(ViewState["pSelecectedImgIndex"]);

if (imgIdCapHtbl != null && imgIdCapHtbl.ContainsKey(imgIds[index]))
         imgIdCapHtbl[imgIds[index]] = txbCaption.Text;

and imgIdCapHtbl hashtable key i am sending to query for saving discription

when i am giving the single quotes in my text then in query 2 times single quotes is getting added.

I used regular exp. validation also but because of TinyMCE editor its not working for that.

some one plz tell me how to replace single quotes, I want if user wants to give single to with text then text box should accept the single quotes and my data gets save without any error,

Upvotes: 0

Views: 346

Answers (1)

Daniel Mann
Daniel Mann

Reputation: 59020

Don't build a SQL string in that fashion; you've opened yourself up to SQL injection. Optimally, use a stored procedure with parameters. You can also use a parameterized query, such as:

string query = "update Image set Description=@description where Id=@id";

Then you add your parameters to the SQLCommand as follows:

commandToExecute.Parameters.AddWithValue("@description",hashtable[key]);
commandToExecute.Parameters.AddWithValue("@id",key);

Upvotes: 2

Related Questions