Quote in input field yeilds error

Hello!

I have an input form that contains a textarea in which people can input the description of an item. They then click Insert or Update and the information is inserted or updated to a SQL Server database. Everything works fine unless someone includes a quote in the description. For example:

The item is Bob's computer.

The apostrophe in Bob creates a problem. I receive the following:

Incorrect syntax near 's'. Unclosed quotation mark before the character string '.

I understand the problem. How do I correct it?

Thanks!

PS I am using C#.Use parameters.

See here|||OF COURSE!! I knew I had done this at some time...thanks for JOGGING my brain!! :)|||I have the same problem, but I don't see how that tutorial would work for an imput text box. If the user types in something like "Mike's car" (without the quotes), it ruins the sql string. How can I code around, or get the server to accept single quotes or apostrophes?
Thanks,
Sean|||The previous link will in fact resolve the problem. Honest.

A poorer alternative is replacing all ' with two ' characters ('' - this is NOT a regular quote, but two single quotes). Doing this still allows SQL Injection attacks to occur.|||Sorry, but I don't see how to apply it to an update statement. Here's a piece of my code:

Sub btnSubmit_Click(sender As Object, e As EventArgs)
Dim strPurpose as string =txtPurpose.text
Dim MySQL as string = "Insert into tbl_ExpsReports (expsPurpose) values ('" & strPurpose & "')"
Dim myConn As New OLEDBConnection(configurationSettings.AppSettings("MSDBconn"))
Dim Cmd as New OleDbCommand(MySQL, MyConn)
MyConn.Open()
cmd.ExecuteNonQuery
MyConn.close()
End Sub

How do I allow the user to key in a single quote or apostrope into the txtPurpose text box? The tutorial seems to be geared towards a return rather than input statement.
Thanks,
Sean|||What you are doing is not that unusual:

Sub btnSubmit_Click(sender As Object, e As EventArgs)
Dim strPurpose as string =txtPurpose.text
Dim MySQL as string = "Insert into tbl_ExpsReports (expsPurpose) values (?)"

Dim myConn As New OLEDBConnection(configurationSettings.AppSettings("MSDBconn"))
Dim Cmd as New OleDbCommand(MySQL, MyConn)
Cmd.Parameters.Add("expsPurpose",strPurpose)

MyConn.Open()
cmd.ExecuteNonQuery
MyConn.close()
End Sub
</code>|||So, what you are saying is, if I use a perameterized insert statement, then the user can key in an apostrophe or single quote? Cool! ;^]|||Yes. And prevents SQL Injection.|||SQL injection... hmmmm... sounds bad.

Quick reference to sp_??

Hi:
Does anyone know of a quick reference guide to MSSQL stored procedures
(sp_?) where there is a 'one line' description of what the procedure
actually does?
I have seen the complete reference in the online books, but want a
quick-and-dirty guide.
TIA,
Martin.
Hi,
Procedure:-
A set of precompiled TSQL commands stored under a single name and processed
as a unit.
See the below link for the informations and egs: for stored procedures.
http://www.awprofessional.com/articl...le.asp?p=25288
Thanks
Hari
MCDBA
"Martin Hart - Memory Soft, S.L." <memorysoftsl _at_ infotelecom _dot_ es>
wrote in message news:#uKvxNgeEHA.3520@.TK2MSFTNGP10.phx.gbl...
> Hi:
> Does anyone know of a quick reference guide to MSSQL stored procedures
> (sp_?) where there is a 'one line' description of what the procedure
> actually does?
> I have seen the complete reference in the online books, but want a
> quick-and-dirty guide.
> TIA,
> Martin.
>
|||Hmm, I believe we've just witnessed the effects of a rift in the spoken
language continuum. When such rifts are visible, it's possible for
unsuspecting questions to get sucked into a sort of linguistics black hole,
and I fear that is exactly what has happened here.
There are those who believe that if we were able to travel faster than the
speed of light, we could navigate these rifts to our advantage, and thereby
gain access to The Supreme Knowledge Of All Ages... not that I'm one of
them, of course, it's just something I overheard while killing time at a
sleazy dive bar, in a back-water space port about half a light-year and
change from... or wait, did I dream it? :-) No matter...
I gather from your question that you already know what a stored procedure
is, in generic terms. What you're looking for instead is a quick reference
that covers the *system* stored procedures that ship with SQL Server, right?
I agree this level of reference would be useful, at one point I was trying
to generate one from info_schema. Got it to the point that I needed a
scripting environment or cursors on steroids to make it look like I wanted.
I was hoping to extract a one-line mission statement from a good percentage
of them by loosely parsing the sources for comments -- god forbid they
follow any sort of prevalent convention. In the end I found myself wishing
that all the replication-specific SPs could be easily isolated/filtered from
view, as I found myself not caring quite so much if they were represented in
my little reference...
Then I decided just the names and order of the parameters for each would be
nominally useful. Then I decided to cut my losses and work on things that
made me money
Sadly, after all that, I'm not aware of any such reference. A book by
Kalen Delaney has a chapter that somewhat approaches it, but packing around
1000 pages of paper defeats the premise of a quick ref.
Author Kalen Delaney Based on the first edition by Ron Soukup
Pages 1088
Disk 2 Companion CD(s)
Level Intermediate
Published 11/15/2000
ISBN 0-7356-0998-5
Sorry I don't have anything more worthwhile for you.. but at least I got
your question. :-)
-Mark
"Hari Prasad" <hari_prasad_k@.hotmail.com> wrote in message
news:uiIW5BheEHA.384@.TK2MSFTNGP10.phx.gbl...
> Hi,
> Procedure:-
> A set of precompiled TSQL commands stored under a single name and
processed
> as a unit.
>
> See the below link for the informations and egs: for stored procedures.
> http://www.awprofessional.com/articl...le.asp?p=25288
> Thanks
> Hari
> MCDBA
>
> "Martin Hart - Memory Soft, S.L." <memorysoftsl _at_ infotelecom _dot_ es>
> wrote in message news:#uKvxNgeEHA.3520@.TK2MSFTNGP10.phx.gbl...
>
begin 666 1pxt.gif
L1TE&.#EA`0`!`( ``/___P```"'Y! $`````+ `````!``$`0 ("A%$`.P``
`
end
|||Hi Mark:
"Mark J. McGinty" <mmcginty@.spamfromyou.com> escribi en el mensaje
news:uSRVpoqeEHA.2812@.tk2msftngp13.phx.gbl...
[snip]
> Hmm, I believe we've just witnessed the effects of a rift in the spoken
> language continuum.

> I gather from your question that you already know what a stored procedure
> is, in generic terms. What you're looking for instead is a quick
reference
> that covers the *system* stored procedures that ship with SQL Server,
right?
[snip]
Yes, you are correct. I know what they are and how to use them, I just want
to have a list (which I can extract from the meta data) and a quick
description of what the procedure does, and maybe a brief rsum of the
parameters.
Indeed language is a strange medium and not easily interpreted. In
programming terms I'm looking for the XML documentation equivalent provided
in the .NET environment to document methods and properties!!
Thanks,
Martin.
|||Martin,

> Does anyone know of a quick reference guide to MSSQL stored
> procedures (sp_?) where there is a 'one line' description of
> what the procedure actually does?
> I have seen the complete reference in the online books, but want a
> quick-and-dirty guide.
The closest thing to quick reference would be this page from Books
Online that lists the documented stored procedures grouped by
category.
http://msdn.microsoft.com/library/de...sp_00_519s.asp
Linda