0

I'm working on a ASP.NET C# Webapplication with a SQL Database.

I have a column "Note" where I want to store for example the text "<test>". I set the column on the datatype "Varchar" and "Text".

But HeidiSQL put out an error. (SQL Fehler (402): The data types text and varchar are incompatible in the equal to operator)

Do you have a idea how I can store this text "<test>" in my database?

The statement I use is:

var sql="INSERT INTO Notes (Note) VALUES ('" + txtNew.Text.Replace("'","''") + "');
Panagiotis Kanavos
  • 120,703
  • 13
  • 188
  • 236
user2959702
  • 3
  • 1
  • 3
  • It can't be of type varchar AND of type text - which is it? Please post the script you're using to insert, and the schema. P.S. If SQL Server, datatype text is depreciated. – Bridge Dec 24 '14 at 08:41
  • 3
    ***What*** database?? SQL is just the query language - used by many databases. Things like this are highly vendor- and product-specific - so please add a relevant tag to your question to clear this up! – marc_s Dec 24 '14 at 08:43
  • I meant that I tried both .... the datatype "varchar" and "text" – user2959702 Dec 24 '14 at 08:47
  • INSERT INTO Notes (Note) VALUES ('" + txtNew.Text.Replace("'","''") + "'); thats my Insert ... I write text in a TextBox and store it in a SQl Server ... But the signs <> are not allowed ... – user2959702 Dec 24 '14 at 08:53
  • Don't use string concatenation, it's a recipe for disaster as you found out! There's nothing wrong with `<>`, the statement is wrong – Panagiotis Kanavos Dec 24 '14 at 08:57

2 Answers2

2

You don't mention what database you are using, although the issue occurs in all databases and the solution is the same.

  • You should always use Unicode text types like nvarchar in the databases that support them (like SQL Server, Oracle), or use a UTF8 collation for those that don't (like MySQL).
  • Data should be entered using parameterized queries to avoid encoding conversion errors
  • If it's absolutely impossible to use parameterized queries (can't imagine why) you should use the database's syntax for passing Unicode values. In SQL Server this is done by adding a N before the value, eg N'my unicode text'

You should also never use text, ntext, varchar(max) or nvarchar(max) values as all of these are BLOB types. They are used to store large data (up to 2 GB) so they are stored outside normal table storage resulting in large performance hits.

UPDATE

I just noticed in the comments that no special characters were involved after all, just string concatenation gone wrong. String concatenation should be avoided at all costs because:

  • They are error prone
  • They expose your code to SQL Injection attacks (image if instead of <text> someone entered moo');truncate table Notes;--)
  • Result in slower performance (the server can reuse the execution plans of parameterized queries)
  • Are ugly to code and maintain

To avoid such errors in the future you should use parameterized queries, which allow you to pass any value without conversion, encoding or formatting errors. The actual code is actually much cleaner, eg:

var myInsertCommand=new SqlCommand("INSERT into NOTES(Note) VALUES(@note)");
myInsertCommand.Parameters.Add("@note", SqlDbType.NVarChar,txtNew.Text.Length);
myInsertCommand.Parameters["@note"].Value = txtNew.Text;
myInsertCommand.ExecuteNonQuery();

If your field is actually a blob you can use the SqlDbType.Text or SqlDbType.NText parameter types.

Panagiotis Kanavos
  • 120,703
  • 13
  • 188
  • 236
0

If you are using SQL SERVER, use '<test>' (in Single quotes).

Also have a look at Stackoverflow question

Community
  • 1
  • 1
Sarvesh Mishra
  • 2,014
  • 15
  • 30