Updating field with single/double quotes

  • Thread starter Thread starter VB Programmer
  • Start date Start date
V

VB Programmer

I have a memo field in my Access database that is called HtmlText.

I have a text box in my ASP.NET application that I fill with HTML. The HTML
has both single and double quotes throughout the HTML.

I tried to run an UPDATE query to update the db but it fails. I think it's
because of the quotes. How can I get the UPDATE command to update fields
that contain both single and double quotes?

Ideas? Examples?

Thanks.
 
Dynamic Sql that isn't parameterized is trouble waiting to happen. I've
written about it here http://msmvps.com/williamryan/posts/4063.aspx
http://www.knowdotnet.com/articles/temptables.html

But like Miha mentions, check out OleDbParameter. Here's a walkthrough, just
replace the named parameters @ParamName with a ? which is what OleDb users.

You can also replace your single quotes with doubles but that's still a bad
thing to do for 100 other reasons.

Also if you have a Web app, Access probably isn't going to be kind to you.
You may want to opt for Sql Server MSDE whichh is free, has much better
security, stored procedures,and is in every way better ;-)


No matter what you do, don't use Dynamic SQL and conacatenate in values, use
Params. Everyone with any ADO.NET experience will tell you this and anyone
that tells you otherwise is full of cr**.


HTH,

Bill

--
W.G. Ryan MVP Windows - Embedded

http://forums.devbuzz.com
http://www.knowdotnet.com/dataaccess.html
http://www.msmvps.com/williamryan/
 
VB Programmer said:
I have a memo field in my Access database that is called HtmlText.

I have a text box in my ASP.NET application that I fill with HTML. The HTML
has both single and double quotes throughout the HTML.

I tried to run an UPDATE query to update the db but it fails. I think it's
because of the quotes. How can I get the UPDATE command to update fields
that contain both single and double quotes?
Click to expand...

See http://www.pobox.com/~skeet/csharp/faq/#db.parameters
 
This is a rant and I'm not referring to VB Programmer or anyone in
particular- this is a rant about the state of dynamic Sql in general. I
clicked on Jon's link and totally agree. It just got me thinking about the
subject again.

With all of the trouble Dynamic Sql w/out parameters causes, it's amazing to
me that Microsoft isn't more adamant in renouncing it. I caught a bunch of
flak when I said it should die - one guy told me I couldn't do all the stuff
he's done without it. I kindly asked him to show me one example where that
was true and he was unable to put forward one. That's not b/c I'm
brilliant, it's b/c that argument is just wrong.

One thing that's really grating though is when you show people how to use
Parameterized queries and they reject your approach b/c the book they have
shows it with concatenated sql and they'd rather go with a 'proven' method.
Makes me want to pull my hair out. I think it will remedy itself, but
there's a lot of resistance to it (I have absolutely no idea why) and for
some reason, adoption is slow in coming. Outside of the whole injection
attack thing and the performance thing , coding it and maintaining it is a
damned nightmare. It's amazing some people get as far as they do b/c
debugging that crap is a nightmare. When I saw how params worked a few
years ago, I immediately hopped on board just b/c I knew I wouldn't have any
more string concatenation errors. Purely selfish. Then I saw how easy and
flexible it was. And I saw a few people who berated paramaters as
unnecessary and rigid, over and over have stuff blow up b/c of an Irish last
name or b/c they forgot to add a single quote somewhere. Then they came up
with a replace routine but calling that on every query (which is necessary
to be 'safe') got really bulky. Over and over more reasons presented
themselves but a few of them would not change, let alone switch to stored
parameters to save their lives One junior programmer even got reamed a new
one b/c she used Stored Procedures and they 'screw everything up'. Every
day, two at most there's a problem with someone and dynamic sql on one of
the ngs. Still it persists. Parameters and/or stored procs remain probalby
the hardest sell of everything in Ado.net. That's what blows my mind. Just
about everyone can buy into the disconnected model which is a big paradigm
shift. How using parameters is more revolutionary and intimidating is still
a mystery. And the thing is that it's HARDER to use, more verbose, more
everythign bad. I don't think I'll ever understand it.

Sorry for ranting OT, I just get the feeling that all of the writing,
posting etc about the downside of it barely puts a dent in it .

--
W.G. Ryan MVP Windows - Embedded

http://forums.devbuzz.com
http://www.knowdotnet.com/dataaccess.html
http://www.msmvps.com/williamryan/
 
Sorry for ranting OT, I just get the feeling that all of the writing,
posting etc about the downside of it barely puts a dent in it .
Click to expand...

No, I totally agree. It's scary how regularly this question comes up.

Does MS have any dynamic SQL in its examples? If so, we should write to
them about it...
 
Back
Top