2

For example, in sql

all ` should be replaced with `` right?

Well, is there a function built in by vb.net that does that sort of thing already?

That way I do not have to encode it.

By the way, I do not access sql database directly. Basically I am creating a text file and that text file contains raw sql statements. Most of the answers deal with accessing sql data directly.

Improve this question

3 Answers 3

Reset to default
7

I don't think so as I think the only case where something like this would be relevant is if you were doing inline SQL Commands without parameters.

This has a risk of SQL Injection, and therefore you should create commands like this:

Dim cmd As New SqlCommand("UPDATE [TableA] SET ColumnA=@ColumnA WHERE ID=@ID", Conn)
cmd.Parameters.Add("@ColumnA", SqlDbType.NVarChar).Value = txtColumnA.Text
cmd.Parameters.Add("@ID", SqlDbType.Int).Value = ID
cmd.ExecuteNonQuery()
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

+1 for using parameters. It's amazing people are still using String.Format to create their SQL queries...
Grr.. I hate it when someone beats me to the answer by <=1 Minute. Well done curt.
Thanks, I cringe at the days I used to use my custom SQL string replace function, and so does my hacked deceased website :(
7

Dont try and do this! I know you are trying to avoid SQL Injection so you are to be commended for thinking about security. However rolling your own sanitisation routine is something that is easy to get wrong.

Use parameters in your query along the lines of

cmd.CommandText = "select * from customer where id=?id";

cmd.Parameters.AddWithValue("?id",CustomerIDValue);
Improve this answer

1 Comment

How would I use these in an insert into query? When I add single quotes around the parameter, it stores the parameter as a string. When I don't add them, the program crashes saying that the parameter is never used.
0

If you are using a string then you'll be using " in your code so you won't need to escape these characters.

Dim mySql As String = "SELECT `MyColumn` FROM `Table`"
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.