quotes into SQL query

  • Thread starter Thread starter Henry
  • Start date Start date
H

Henry

I'm writing a class that crawls through a removable media retrieving file
info (who didn't make one yet?) and storing in an Access mdb.
OleDbCommand fails when the file name contains quotes as in
My friend's pictures.zip
When building the SQL INSERT query, I tried putting \" before and after as
suggested in a MS KB but it didn't work. I'm almost going to escape the
entire file name a la http...
Should I use stored procs and pass the file name as a parameter? Would it
avoid escaping the file name?

Many thanks

Henrique
 
use Parameters instead.


cmd.CommandText = "INSERT INTO SomeTable Values (?, ?, ?)"

cmd.Parameters.Add(FirstValue)
cmd.Parameters.Add(SecondValue)

etc..

There are multiple overloads
http://www.knowdotnet.com/articles/parametergotcha.html and I'd recommend
using one of them because it gives you more control, but the example above
will work. This will give you cleaner code, better performance, and
improved security.... All upside on this approach.

HTH,

Bill
 
If you use OleDbParameter for you file name, it should handle the quotes escape for you

Tu-Thac

----- Henry wrote: ----

I'm writing a class that crawls through a removable media retrieving fil
info (who didn't make one yet?) and storing in an Access mdb
OleDbCommand fails when the file name contains quotes as i
My friend's pictures.zi
When building the SQL INSERT query, I tried putting \" before and after a
suggested in a MS KB but it didn't work. I'm almost going to escape th
entire file name a la http..
Should I use stored procs and pass the file name as a parameter? Would i
avoid escaping the file name

Many thank

Henriqu
 
Back
Top