1

I am currently working on a project where I need to submit a file path to a database, and be able to pull that path from the database as well.

Currently I am able to submit the path to the database and pull the data from the database, however the slashes in the path seem to be getting stripped from the string when I submit to the database.

How can I stop the \ from being stripped when submitting to the database and when pulling from the database?

Here is my save button event code:

private void btnSaveSettings_Click(object sender, EventArgs e)
{
    string myConnection = "datasource=localhost;port=3306;username=username;password=password";
    string Query = "insert into ephex_contcollections.Paths (toindex,indexed) values('" + this.txtToIndexPath.Text + "','" + this.txtIndexedPath.Text + "') ;";
    MySqlConnection myConn = new MySqlConnection(myConnection);

    MySqlCommand cmdDB = new MySqlCommand(Query, myConn);
    MySqlDataReader myReader;

    try
    {
        myConn.Open();
        myReader = cmdDB.ExecuteReader();
        MessageBox.Show("Save Successful");

        while (myReader.Read())
        {

        }
    }
    catch (Exception ex)
    {
        MessageBox.Show(ex.Message);
    }
} //close save button event

The string that I am submitting to the database look like this while in the text box:

C:\Users\Meta\Desktop\Alpha

But they submit to the database like this:

C:UsersMetaDesktopAlpha

Thanks in advance (I am new to using MySQL databases with C# and am rusty on my C# as well).

Mykola Yashchenko
  • 5,103
  • 3
  • 39
  • 48
Meta
  • 1,830
  • 6
  • 24
  • 28
  • 1
    You should construct a parameterized query instead of string concatenation. – gmiley Jan 13 '15 at 20:22
  • 2
    Queue SQL Injection discussion. Parameterize your statements. http://stackoverflow.com/questions/652978/parameterized-query-for-mysql-with-c-sharp – Michael McGriff Jan 13 '15 at 20:23
  • 1
    use parameters instead of the textbox text in the query – prospector Jan 13 '15 at 20:23
  • '\' is the escape character in c#. I am not sure how it functions with concatenating strings, but if you were to hardcode Query to insert a single record, the \ character would need to escape itself. For instance: string Query = "insert into ephex_contcollections.Paths (toindex,indexed) values ('Home','C:\\Users\\Home')" – David Jacobsen Jan 13 '15 at 20:25

2 Answers2

2

You should use SQL Parameters, but if you want to solve this quick and dirty, add double slashes to the path so the output will be: C:\\Users\\Meta\\Desktop\\Alpha

string Query = "insert into ephex_contcollections.Paths (toindex,indexed) values('" + this.txtToIndexPath.Text.Replace(@"\" , @"\\") + "','" + this.txtIndexedPath.Text.Replace(@"\" , @"\\") + "') ;";
Sievajet
  • 3,443
  • 2
  • 18
  • 22
  • Thanks! I have adapted this in several places (submitting and pulling data), the program I am working on is for the office i work at and only 3 people (the CEO, COO, and myself) will have access to the program so I should be good using this method. – Meta Jan 13 '15 at 20:44
  • Use Sql Parameters no matter who is accessing your application. What if the CEO has a buddy who knows security and he tests your application to see if it is vulnerble to Sql Injection. – Mike Burdick Jan 13 '15 at 20:53
  • Always use Sql Parameters. Always. Not doing this as a matter of practice will lead to you not doing it when it matters more. Develop good habits now, not after the breach... – Mark Peters Jan 13 '15 at 21:12
2

The problem you are having is that using a slash, even within a string, means something.

You need to use the special character for backslash within your string like this

"hello \\ world" = "hello \ world"

also, you can use the @ symbol in front of the string to not use escape characters, but i dont recommend it, like this string s = @ "hello \ world" = " hello \ world".

Hope that helps.

edit : stackoverflow keeps editing my backslashes out

metinoheat
  • 118
  • 1
  • 10