Escaping special character in string in C#

Question

Need your help in below.

I have code where I am checking that a particular row exists in datatable or not; if row doesn't exist then I add that row to datatable. This is working fine however failing when row value contains special char link ' (single quote).

Below is the code:

string lastName = dgRow.Cells[2].Text.Replace("amp;", "");
DataRow[] dr = dt.Select("LastName='" + lastName + "'"); //check whether row is available in datatable or not

if (dr.Length <= 0)// Condition to check if row is there in data table
{
    dt.Rows.Add();
    dt.Rows[dt.Rows.Count - 1]["FirstName"] = dgRow.Cells[1].Text;
    dt.Rows[dt.Rows.Count - 1]["LastName"] = dgRow.Cells[2].Text;
    dt.AcceptChanges();
}
return dt; //Return modified data table to calling function.

This code fails when LastName contains single quotes.

I need a solution where I am not removing quotes from last name.

Thanks

this code is running On the Web Form? – cuongle Feb 07 '13 at 07:10 — cuongle, Feb 07 '13 at 07:10
you mean this code dgRow.Cells[2].Text contains quotes? – cuongle Feb 07 '13 at 07:13 — cuongle, Feb 07 '13 at 07:13
you can replace '(single quote) with ''(double)... – Sachin Feb 07 '13 at 07:18 — Sachin, Feb 07 '13 at 07:18

Jon Skeet · Answer 1 · 2013-10-28T16:05:35.633

6

Instead of using dt.Select() in the first place, I'd strongly suggest using LINQ. It avoids the whole "embedding queries in strings" problem which is so ghastly and reminiscent of SQL injection attacks.

So:

var lastNameToFind = dgRow.Cells[2].Text.Replace("&amp;", "");
var matched = dt.AsEnumerable()
                .Where(dr => dr["LastName"].Equals(lastNameToFind))
                .Any();

if (matched)
{
    DataRow newRow = dt.NewRow();
    dt.Rows.Add(newRow);
    newRow["FirstName"] = dgRow.Cells[1].Text;
    newRow["LastName"] = dgRow.Cells[2].Text;
    dt.AcceptChanges();
}

edited Oct 28 '13 at 16:05

answered Feb 07 '13 at 07:16

Jon Skeet

1,421,763
867
9,128
9,194

I didn't want to suggest this as an edit in case I've just misunderstood. I implemented your code above but got an error that 'dr' was undefined. After some reading to improve my understanding of LINQ (so thanks for providing a prompt to do so!) I changed it to .Where(dr => dr["LastName"].Equals(lastNameToFind)) and this solved it. Thanks for the solution. – Kate Oct 28 '13 at 15:09

score 0 · Answer 2 · answered Feb 07 '13 at 07:16

0

Try changing:

DataRow[] dr = dt.Select("LastName='" + dgRow.Cells[2].Text.Replace
("amp;", "")+ "'");

to this:

DataRow[] dr = dt.Select("LastName='" + dgRow.Cells[2].Text.Replace
("amp;", "").Replace("\'", "\'\'") + "'");

(untested)

answered Feb 07 '13 at 07:16

Nigel Whatling

2,371
1
16
22

Better implementation (as mentioned by @Rawling) in [Correct way to escape characters in a DataTable Filter Expression](http://stackoverflow.com/questions/386122/correct-way-to-escape-characters-in-a-datatable-filter-expression) – Nigel Whatling Feb 07 '13 at 07:17
Thanks, this is working however its failing in newRow["LastName"] = dgRow.Cells[2].Text; also in my datatable only single quote should go – user1717270 Feb 07 '13 at 07:42

score 0 · Answer 3 · edited May 23 '17 at 11:52

0

You can replace Single quote with Double Quote :

Dim LastName As String = Replace(txtLastName.Text, "'", "''")

but it is not good practice...

check this out : Replacing apostrophe in asp.net to prevent SQL error

edited May 23 '17 at 11:52

Community

1
1

answered Feb 07 '13 at 07:24

Sachin

2,152
1
21
43

Escaping special character in string in C#

3 Answers3