Cannot insert text having ' (apostrophe) into SQL Server table

Question

I'm trying to insert text into a SQL table using a textbox:

SqlCommand cmd = new SqlCommand("INSERT INTO Book(Title) VALUES ('" + textBoxTitle.Text + "','" +
"')", conn);

But if text contains apostrophe (ex. You'll...), it's showing: Incorrect syntax near 'll'.

Why is there a comma after the value and before the closing? — Joe Kasavage, Sep 28 '14 at 13:32
Don't put values directly into SQL statements. Use parameters instead. — Gordon Linoff, Sep 28 '14 at 13:34

score 3 · Accepted Answer · edited May 23 '17 at 12:08

First of all, you have two values in your VALUES part. One is textBoxTitle.Text and the other one is ''. But you provided just one column.

If that's true, you should delete '' part in your query. But more important, you should always use parameterized queries. This kind of string concatenations are open for SQL Injection attacks.

If parameterized queries and statements creates any problem with single quote, use double single quotes for each.

How do I escape a single quote in SQL Server?

Also use using statement to dispose your database connections and commands.

using(SqlConnection con = new SqlConnection(connString))
using(SqlCommand cmd = con.CreateCommand())
{
    cmd.CommandText = "INSERT INTO Book(Title) VALUES (@title)";
    cmd.Parameters.AddWithValue("@title", textBoxTitle.Text);
    con.Open();
    cmd.ExecuteNonQuery();
}

@Downvoter care to comment at least so I can see where I _might_ be wrong? — Soner Gönül, Jun 09 '18 at 23:40

score 0 · Answer 2 · answered Sep 16 '16 at 16:33

As an alternative if you are programming .Net you can use SqlBulkCopy to insert your data without escaping any characters.

https://msdn.microsoft.com/en-us/library/ex21zs8x(v=vs.110).aspx?cs-save-lang=1&cs-lang=vb#code-snippet-2

As a bonus it is fast (faster than INSERT if you have a lot to insert).

Cannot insert text having ' (apostrophe) into SQL Server table

2 Answers2