catastrophekid
New Member
I'm entering data from a form directly into my database. Despite using the "@" symbol in my SQL statement, this crashes whenever the input includes an apostrophe. How can I avoid this problem? Please advise. Thanks!<BR><BR>string strSQL = @"INSERT INTO Item (ItemName) VALUES ('" + txtItem.Text + "')";<BR>Well there are a couple of ways. One way is to use the String.Replace method and remove the ' when you concatenate the string. Another way ( The way I like ) is to do this...<BR><BR>string strSql = "INSERT INTO Item(ItemName) VALUES(@ItemName)"<BR><BR>SqlCommand command = new SqlCommand(strSql,strConn)<BR>command.parameters.Add("@ItemName",SqlDbType.Varchar,200).value = http://aspmessageboard.com/archive/index.php/txtItem.Text<BR><BR>command.ExecuteNonQuery()Thank you for getting me on the right track. I resolved the problem with the following code. Your code is more efficient, but I kept getting errors. Do I always need to explicitly declare each parameter like I've done? Please advise. Thanks again!<BR><BR>string strSQL = "INSERT INTO Item (ItemName) VALUES (@ItemName)";<BR> <BR>objCommand = new OleDbCommand(strSQL, objConnection);<BR> <BR>SqlParameter parameterItemName = new SqlParameter("@ItemName", SqlDbType.VarChar, 50);<BR>parameterItemName.Value = txtItem.Text;<BR> objCommand.Parameters.Add(parameterItemName);<BR><BR>objCommand.ExecuteNonQuery();