how to save string variable with apostrophe using .net

Question

I have a query like this:

sql = "Select * From T_ExhibitorLocation 
        where F_ExhibitionCode='" & Cmb_Exhibition.SelectedValue.ToString & "' 
          and F_ExhibitorCode='" & Trim(Txt_ExhibitorID.Text) & "' 
          and F_Site='" & cmb_Site.SelectedValue.ToString &` "'"

Some time my F_site name come with apostrophe, example like this 'Artist's Shell'. So this time how I can save this name with apostrophe ?? thanks in advance

Dont build sql that way. Use SQL Parameters and the SQL will be more readable and problems with ticks will vanish. — Ňɏssa Pøngjǣrdenlarp, May 17 '15 at 13:09
Plus SQL parameters will [prevent sql injection](http://stackoverflow.com/a/306675/106866) — jao, May 17 '15 at 13:23

score 2 · Answer 1 · answered May 17 '15 at 13:27

Like Pluntonix said in his comment always try to avoid building sql command in this way..try the below way if you can

var command = new SqlCommand("Select * From T_ExhibitorLocation 
        where F_ExhibitionCode=@Cmbexhibition 
          and F_ExhibitorCode=@exhibitioncode
          and F_Site=@site");
SqlParameter param1  = new SqlParameter();
param1.ParameterName = "@Cmbexhibition";
param1.Value         = Cmb_Exhibition.SelectedValue.ToString();

SqlParameter param2  = new SqlParameter();
param2.ParameterName = "@exhibitioncode";
param2.Value         = Trim(Txt_ExhibitorID.Text);

SqlParameter param3  = new SqlParameter();
para3.ParameterName = "@site";
param3.Value         =cmb_Site.SelectedValue.ToString();

command.Parameters.Add(param1);
command.Parameters.Add(param2);
command.Parameters.Add(param3);

Then execute it.

I would rather create typed parameters – Sami Kuhmonen May 17 '15 at 15:14 — Sami Kuhmonen, May 17 '15 at 15:14

how to save string variable with apostrophe using .net

1 Answers1