-3

Now I am just learning SQL for C#, but a have one problem, which I can't solve. So my program is simple, I have three textBoxes and one button. In the first textBox I type a password, in the second textBox I type email, this is simple Login, when you click the button, if there is a match with password and email in SQL Database, in the third textBox apears a short string, but when I click the button an exception occured- Unclosed quotation mark after the character string ". PLease help me because I don't know what to do! Thank you in advance!

Bozhidar
  • 19
  • 5
  • 2
    Show the relevant code here. – Carcigenicate Dec 31 '18 at 16:26
  • most likely an error in your SQL string, but you need to show us the code. – Richard Hubley Dec 31 '18 at 16:30
  • 2
    My psychic powers tell me that https://stackoverflow.com/q/332365/11683 will be mentioned after you show the relevant code. – GSerg Dec 31 '18 at 16:31
  • 1
    [SQL injection](https://learn.microsoft.com/en-us/sql/relational-databases/security/sql-injection) is a thing, remember to **always** sanitize user input. – Laurens Deprost Dec 31 '18 at 16:32
  • 1
    Well, the error message you receive says it all. You are missing a closing quotation mark in your SQL, probably for one of your parameters. Consider using SQL parameters instaed of conactinating the parameter value from the textbox due to SQL injection risk. https://social.msdn.microsoft.com/Forums/sqlserver/en-US/3ce4d130-0bf8-456d-a30d-029e4086a38e/unclosed-quotation-mark-after-the-character-string-?forum=transactsql – Shai Aharoni Dec 31 '18 at 16:33
  • 4
    @LaurensDeprost Shame on you! That phrase should have a link to bobby tables – Cleptus Dec 31 '18 at 16:43
  • @bradbury9 You're right. I will make amends... [Bobby Tables](https://xkcd.com/327/). – Laurens Deprost Dec 31 '18 at 19:47

1 Answers1

-3

My guess is that a user input a single quote in the "Notes" and this caused the problem. This is my generic function for handling all text inputs when Inserting/Updating:

/// <summary>
    /// Converts a string to a properly formatted text. Includes correcting single quotes.
    /// </summary>
    /// <param name="Field">String to format</param>
    /// <returns></returns>
    internal static String SQLString(object Field)
    {
        String s = "";
        try
        {
            s = Convert.ToString(Field);
        }
        catch
        { }
        return "'" + s.Replace("'", "''").Replace("\r\n", "' || chr(10) || '").Trim() + "'";
    }
Frank Ball
  • 1,039
  • 8
  • 15
  • parametrized queries: a) dont require input sanitation. b) The database engine caches them so they are usually faster. c) Are easier to write, no need to bother with type delimiters. – Cleptus Jan 01 '19 at 00:38
  • Thank you very much!!! It works!!! Happy New Year!! – Bozhidar Jan 01 '19 at 17:53
  • 1
    For future readers: I strongly discourage this method. Instead of trying to (clumsily) reinvent the wheel, use what Microsoft already provided: `SqlCommand.Parameters`. – FCin Jan 02 '19 at 09:36