Quotation Marks in SQL Server

I have an ASP.Net page that allows people to type in strings and store them into a SQL Server DB; which in turn gets displayed on a website.

The project has an admin side that can add/delete/edit announcements, which get displayed on an intranet site. These announcements can be clicked on to display further detail. When announcements are clicked on a javascript popup window is generated that displays the strings. All data is stored in a SQL Server DB.

What I need to know is: how do I check to see if a string has a quotation mark or apostrophe in it so that I can replace it with the appropriate HTML code? (Though it seems I can't display an apostrophe, even when using the HTML code ''')

If I store the string as was entered by the administrator (with quotation marks instead of '"'), the popup window will not display.

Try the links below for all the info you need including how to enable QUOTED_IDENTIFIER option in your create database statement and the restrictions. Hope this helps.

http://msdn2.microsoft.com/en-US/library/ms174393.aspx

http://msdn2.microsoft.com/en-US/library/ms176027.aspx

|||

Search the forums for:

A) Parameterized SQL Query (What you should do)

B) SQL String concatenation (What you are probably doing)

C) SQL Injection attack (The security problems of doing B instead of A)

|||

Motley:

Search the forums for:

A) Parameterized SQL Query (What you should do)

B) SQL String concatenation (What you are probably doing)

C) SQL Injection attack (The security problems of doing B instead of A)

Not worried about SQL Injection attacks. This is an intranet app.|||

Caddre:

Try the links below for all the info you need including how to enable QUOTED_IDENTIFIER option in your create database statement and the restrictions. Hope this helps.

http://msdn2.microsoft.com/en-US/library/ms174393.aspx

http://msdn2.microsoft.com/en-US/library/ms176027.aspx

Can you enable the Quoted_Identifier only when you create a new table?|||You can do it in your create database statement or create table, the how for table is covered in the second link. Hope this helps.|||After reading the replies and links that were posted, I feel that I need to reiterate my question.

There is a page that displays records from a SQL Server DB. These records are "announcements" on an internal bulletin board. An admin has a special page that gives the admin the ability to edit, add or delete any of these records.

For instance, an admin can add an announcement (using a textbox) that says, 'This sentence has "Quotation Marks" in it'. I want to be able to search that specific phrase for the quotation marks and replace them with the appropriate code so that they may be displayed on the bulletin board. I don't want the admin to have to type double quotes or double apostrophes in order for them to show up.

The page needs to be user friendly with any concates or alterations to occur server side.

So if anyone can tell me the proper way of say

if str.chars(x) = "<quotation>" then ...

that would be much appreciated.

This is the javascript that generates the pop-up window:
Alert Descrip

<script language="javascript">
//popup function which recieves the email group description and name as parameters
function popitup3(description, name)
{
newwindow2=window.open('','name','height=400,width=600,scrollbars=yes');
var tmp = newwindow2.document;
tmp.write('<html><head><title>Alert Description</title>');
tmp.write('</head><body><font face="verdana, tahoma, sans-serif" size="2"');
tmp.write('b><br><p align="justify">');
tmp.write(description);
tmp.write('</p><p><a href="javascript:self.close()">close</a> this window.</p>');
tmp.write('</body></html>');
tmp.close();
}
</script>

Variable description is where the text with the quotes would most likely be.|||

I am sorry I did not understand your original post you are looking for ANSI SQL LIKE and Pattern search. Try the link below for sample code. Hope this helps.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/tsqlref/ts_la-lz_115x.asp