Replacing double quotes with slash?

  • Thread starter Thread starter VMI
  • Start date Start date
V

VMI

This is how I create a string that I will then send to my ODBC class for an
INSERT into mysql:

sSQL = String.Format("insert into myTable (field1, field2) values (" + '"' +
"{0}" + '"' + ", {1})", "THIS IS A TEST", 2032);

The result is sSQL equals
"insert into myTable (field1, field2) values (\"THIS IS A TEST\", 2032)"

how can I eliminate that slash? mysql doesn't recognize the slash in the
INSERT statement.

Thanks.
 
This is how I create a string that I will then send to my ODBC class for an
INSERT into mysql:

sSQL = String.Format("insert into myTable (field1, field2) values (" + '"' +
"{0}" + '"' + ", {1})", "THIS IS A TEST", 2032);

The result is sSQL equals
"insert into myTable (field1, field2) values (\"THIS IS A TEST\", 2032)"

how can I eliminate that slash? mysql doesn't recognize the slash in the
INSERT statement.

Thanks.
Click to expand...

Does mySQL use double quotes around string values? Microsoft SQL uses
single quotes.
 
VMI said:
This is how I create a string that I will then send to my ODBC class for
an
INSERT into mysql:

sSQL = String.Format("insert into myTable (field1, field2) values (" + '"'
+
"{0}" + '"' + ", {1})", "THIS IS A TEST", 2032);

The result is sSQL equals
"insert into myTable (field1, field2) values (\"THIS IS A TEST\", 2032)"

how can I eliminate that slash? mysql doesn't recognize the slash in the
INSERT statement.
Click to expand...

There is no slash in the string. The debugger uses the slash when
displaying the string to indicate special characters (the same way you
indicate special characters to the compiler) like tab or quote.

Use of String.Format opens you up to SQL injection attacks though, learn to
use parameterized queries.
 
MySql can use parameterised queries rather than strings like you have
done... the parameters in the string are marked with a questionmark.

e.g.

Sql = "insert into mytable (field1, field2) values (?, ?)";

SqlCommand cmd = new SqlCommand(conn, Sql);

cmd.Parameters.Add("@field1", DbType.VarChar).Value = "THIS IS A TEST";
cmd.Parameters.Add("@field2", DbType.Int).Value = 2032;

cmd.ExecuteNonQuery();

Because MySql parameters use question marks, the parameter list has to be in
the correct order. I have never tried it, but the @field1 etc. could
potentially be absolutely anything you want.

You are much safer with parameters as well.

--
Best regards,
Dave Colliver.
http://www.AshfieldFOCUS.com
~~
http://www.FOCUSPortals.com - Local franchises available
 
VMI said:
Yes, it uses double quotes.
Click to expand...

MySQL supports '' for string literals as any standard
compliant database.

If MySQL is not in ANSI mode it also allows "" for string
literals, but if it is in ANSI mode then "" is used around
identifier (like [] in SQLServer).

I will strongly recommend using '' because there are no
reason to write code that relies on a specific configuration
when it is not necessary.

Arne
 
Ben said:
There is no slash in the string. The debugger uses the slash when
displaying the string to indicate special characters (the same way you
indicate special characters to the compiler) like tab or quote.

Use of String.Format opens you up to SQL injection attacks though, learn
to use parameterized queries.
Click to expand...

Very good advice. No need to see another web site hacked due to
SQL injection.

Arne
 
VMI said:
This is how I create a string that I will then send to my ODBC class for an
INSERT into mysql:
Click to expand...

Why not use MySQL Connector for .NET instead of ODBC?

Better performance and especially better error messages!

Arne
 
David said:
MySql can use parameterised queries rather than strings like you have
done... the parameters in the string are marked with a questionmark.

e.g.

Sql = "insert into mytable (field1, field2) values (?, ?)";

SqlCommand cmd = new SqlCommand(conn, Sql);

cmd.Parameters.Add("@field1", DbType.VarChar).Value = "THIS IS A TEST";
cmd.Parameters.Add("@field2", DbType.Int).Value = 2032;

cmd.ExecuteNonQuery();

Because MySql parameters use question marks, the parameter list has to be in
the correct order. I have never tried it, but the @field1 etc. could
potentially be absolutely anything you want.
Click to expand...

ODBC parameters are "?" and order matters.

MySQL parameters are "?name" just like for other ADO.NET providers.

Arne
 
Back
Top