Passing a string containing special characters to database

Question

I am building a database in c# using visual studio. I am trying to pass a paragraph of text from the site into sql server database. However types of punctuation are being read as special characters such as ' or ". Would anyone be able to tell me how to replace these so that they will successfully pass into the database? Below is an example of my code.

DataAccess layer

    public static String createNewPresident(string strTitle, string strText, string strImageUrl)
{
    SqlConnection conn = openConnection();//Open Connection

    string strSQL = "INSERT INTO President(PresidentTitle, " +
                " PresidentDescription, " + " PresidentImageURL) " +
                " VALUES('" + strTitle + "' , '" + strText + "' , '" + strImageUrl + "')";//Insert Into Statement

    SqlCommand cmd = new SqlCommand(strSQL, conn);

    cmd.ExecuteNonQuery();

    closeConnection(conn);//Close Connection
    return strTitle;//Display Success
}//createNewPresident

Business Layer Logic

 private string strTitle, strText, strImageurl;

public Add_New_President_Class(string nTitle, string nText, string nImageurl)
{
    strTitle = nTitle;
    strText = nText;
    strImageurl = nImageurl;
}//constructor

public void createNewPresident()
{
    String retTitle = DataAccess.createNewPresident(strTitle, strText, strImageurl);
    strTitle = retTitle;
}

public string getTitle()
{
    return strTitle;
}

and c# code behind page

protected void btnAddNewPresident_Click(object sender, EventArgs e)
{
    String imageName = fuImagePresident.FileName;
    fuImagePresident.PostedFile.SaveAs(Server.MapPath("../Home_Images/president.jpg"));
    String url = "../Home_Images/president.jpg";

    String textReplaced;
    textReplaced = txtPresidentText.Text.Replace("\n", "<br />");

    Add_New_President_Class newPresident = new Add_New_President_Class(txtPresidentTitle.Text, textReplaced, url);
    newPresident.createNewPresident();

    Session["newpresident"] = newPresident;
    txtPresidentTitle.Text = "";
    txtPresidentText.Text = "";
    Response.Write("<script>window.alert('A news president has been added')</script>");
}

Any help would be greatly appreciated

Also, your code is _extremely_ vulnerable to SQL injection attacks. You should parameterize your SQL queries. — maccettura, Aug 30 '17 at 20:22
The *very first* thing to do is stop building SQL like that. Use parameterized SQL. That may or may not fix the problem, but it will at least remove the SQL Injection Attack. — Jon Skeet, Aug 30 '17 at 20:22
*Parametrize* the query and you'll *forget* about such problems. — Dmitry Bychenko, Aug 30 '17 at 20:22
Stop doing queries like this. As others have said, use parametrized queries. Get yourself into the habit of writing safe code. — , Aug 30 '17 at 20:23
For small projects I recommend you to use **Dapper**. It's a micro ORM which allows you to parametrize SQL queries in easy way. — Karol Trybulec, Aug 30 '17 at 20:23
Why the close votes? The duplicate does not actually answer the OP's question (Although I fully agree with the injection concerns) — Stephen Byrne, Aug 30 '17 at 20:25
@John - check this question and answer: https://stackoverflow.com/questions/7505808/why-do-we-always-prefer-using-parameters-in-sql-statements. It will explain why what you're doing is a bad idea and also give a sample of how to do it the right way - which also solves your problem because you don't need to use ' and " in your query. — Stephen Byrne, Aug 30 '17 at 20:28
@StephenByrne cast a reopen vote like me if you disagree with the close — maccettura, Aug 30 '17 at 20:30
Thanks to everyone who commented. I had no idea what I was doing was so wrong. @StephenByrne and yes it completely fixed my problem. — John McCullough, Aug 30 '17 at 20:50

Passing a string containing special characters to database

0 Answers0

Linked