I'm passing a string or number to a SQL query.
What is the meaning of single quotes and a single within double quotes?
select * from college where class = '"+txtclass.Text+"'
or
select * from college where class = '+txtclass.Text+'
Asked
Active
Viewed 680 times
0
Andrew Morton
- 24,203
- 9
- 60
- 84
Yabaz Thampi
- 82
- 11
-
@SudiptaMondalm that link raises more questions than answers... – jarlh Apr 26 '19 at 08:05
-
1The first example appears to have been presented out of context: it looks like the code is concatenating strings to make a query. (That is the wrong way to do it: SQL parameters should be used to pass parameters to the query.) – Andrew Morton Apr 26 '19 at 08:06
-
@jarlh I'm using SQL server – Yabaz Thampi Apr 26 '19 at 08:09
-
6Also: you should ***NOT*** concatenate your SQL with user-provided values like this - this is **WIDE OPEN** to SQL injections. Whatever database system you're using *most likely* will support something like **parametrized queries** - using those avoids SQL injections - and makes many of those quote-related problems go away, too – marc_s Apr 26 '19 at 08:09
-
1@marc_s It looks like that is a snippet taken from, say, a line of C#. Your edit may be obfuscating that. – Andrew Morton Apr 26 '19 at 08:10
-
@YabazThampi Is there more code around that snippet? It would probably help to see it. And also let us know which programming language you're using. – Andrew Morton Apr 26 '19 at 08:12
-
Single quotes are T-SQL's string delimiters. The double quote has no special meaning *within a string*. It's the difference between the strings `"+txtclass.Text+"` and `+txtclass.Text+`, where the difference likely matters to whoever is consuming that string. (Double quotes can also be used in T-SQL, not for strings but to escape identifiers, and that purpose is not relevant here.) – Jeroen Mostert Apr 26 '19 at 08:12
-
@AndrewMorton I'm using c# programming language I need to know the meaning single Quotes or single quotes within double quotes Example :insert into emi_details(ic_no,loan_id) values('" + this.ddl_icno.SelectedItem.Text + "','" + this.ddl_loanid.SelectedValue + "',)" – Yabaz Thampi Apr 26 '19 at 08:18
-
@Jeroen Mostert Thankuu man – Yabaz Thampi Apr 26 '19 at 08:18
-
@YabazThampi, please heed the comment about using parameters instead of string concatenation in the app code. This has many benefits including cleaner code, better security, performance, etc. – Dan Guzman Apr 26 '19 at 09:04
-
@YabazThampi The double quotes are not in the SQL. They are in the C# code. – Andrew Morton Apr 26 '19 at 09:31
1 Answers
-1
You should use parameters for the SqlCommand.
Here a small example on how to do it:
using (var con = new SqlConnection("conection string"))
{
con.Open();
using (var cmd = con.CreateCommand())
{
// Here is where we add the parameters into the Sql Query, this way it will prevent SQL Injection
cmd.CommandText = "select * from college where class = @class";
// Now we add the value to the parameter @class, I'm assuming here that the column class is a NVarchar
cmd.Parameters.Add("@class", SqlDbType.NVarChar).Value = txtclass.Text;
using (var dr = cmd.ExecuteReader())
{
while (dr.Read())
{
// Do some code
}
dr.Close();
}
}
}
this example is for Sql, but the same can be done to MySql, we just need to use the MySql classes, the rest is the same
Note: I know this doesn't answer the question that as been made, but since there is a security risk the way he is doing, I decided to give an simple example how to make it more secure, since the answer as been given on the comments on the question
Camadas
- 509
- 1
- 5
- 21
-
1
-
Humm thanks for the warning, I did use AddWithValue because it would require less code. Need to research a little more so I can change the solutions that I have to remove the AddWithValue – Camadas Apr 26 '19 at 13:14
-
1@Camadas You should specify the size of string parameters otherwise it might default to 1 and silently truncate the data. – Andrew Morton Apr 29 '19 at 09:14