0

In my program I have this statment ......

ct = String.Format(@"select [Movie Selector] from WSTMDS3
            natural prediction join 
            (select

             '{0}'as[Age],
            '{1}'as[Education Level],
            '{2}'as[Gender],
            '{3}'as[Home Ownership],
            '{4}'as[Internet Connection],
            '{5}'as[Marital Status]

            )as MovieSelector",
             TextBox1.Text,
             DropDownList1.SelectedValue,
             DropDownList2.SelectedValue,
             DropDownList3.SelectedValue,
             DropDownList4.SelectedValue,
             DropDownList5.SelectedValue)
                ;

But in DropDown list1 "Education Level " I have some value like this Master' Degree how i can use the single quote ' in this statment .

thanks

hoss
  • 2,430
  • 1
  • 27
  • 42
AYKHO
  • 516
  • 1
  • 7
  • 20

3 Answers3

10

You should not use string.Format to build your queries. You should use parameterized queries.

adomdCommand.CommandText = "SELECT ... @P1 ...";
adomdCommand.Parameters.Add(new AdomdParameter("P1", TextBox1.Text));
// etc..

Related

Community
  • 1
  • 1
Mark Byers
  • 811,555
  • 193
  • 1,581
  • 1,452
1

Use SqlCommand and SqlParameter. Example

SqlCommand sqlCom=new SqlCommand();
sqlCom.CommandText=@"select [Movie Selector] from WSTMDS3
        natural prediction join 
        (select

         @P0 as[Age],
        @P1 as[Education Level],
        @P2 as[Gender],
        @P3 as[Home Ownership],
        @P4 as[Internet Connection],
        @P5 as[Marital Status]

        ";
sqlCom.Parameters.AddWithValue("@P0",TextBox1.Text);
user1208484
  • 110
  • 2
0

Besides using parametrized queries - the escape method for single quotes in T-SQL syntax is to double them.

kaiz.net
  • 1,984
  • 3
  • 23
  • 31