1

I have a SqlCommand that attempts to insert a row in a SQL Server database table. The column of interest is a nvarchar(100) and the data that needs to be input will include characters such as "-", ";" and "\". When I insert a string without these characters everything works fine. When I attempt to insert a string that includes these characters the code fails because these characters are literally understood by the code and thus reports a syntax error. I have resolved such an issue in TSQL alone using dynamic sql, however I cannot find any good references to perform this action in C#. I suppose I could create a stored procedure and pass the values, but is there a way in which I could efficiently perform this using C# alone? If so, How? Or is passing values to a Stored Procedure a better approach?

Here is a simplified version of the code:

String SQLServerInstanceNames = "ussqlclus-db43\ussqlclusdb43; ussqlclus-db44\ussqltrysdb44; ussqltrys-db45\ussqltrysdb45;"

//Create Connection (Get Connection string from Server Explorer)
SqlConnection myConnection = new SqlConnection("Data Source=SERVER1;Initial Catalog=Database1;Integrated Security=True");

//Open connection
try { myConnection.Open(); }
catch (Exception e) { Console.WriteLine(e.ToString()); }

SqlCommand myCommand = new SqlCommand("INSERT INTO [dbo].[Table1]" +
"([SQLServerInstanceNames])" +
"VALUES (SQLServerInstanceNames);", myConnection);

//Execute command
myCommand.ExecuteNonQuery();

//Close connection
try { myConnection.Close(); }
catch (Exception e) { Console.WriteLine(e.ToString()); }
Improve this question
4
  • 8
    You need to use parameters.
    – SLaks
    Commented Jun 10, 2013 at 21:08
  • 2
    Parameterized Queries FTW!
    – Justin Niessner
    Commented Jun 10, 2013 at 21:09
  • I've seen a lot more SQL parameterization questions lately. Odd...
    – Marc Gravell
    Commented Jun 10, 2013 at 21:52
  • Where did you get that connection opening code from? If there's an exception, then report the exception on the console, then go ahead and still attempt to use the connection? It would be far better to not have the try/catch block there at all.
    – Damien_The_Unbeliever
    Commented Jun 11, 2013 at 10:29

3 Answers 3

Reset to default
5

Try with SqlParameters. It will save you from Sql Injection as well as from your current problem.

myCommand.Parameters.AddWithValue("@param1", myValueWithCharacters);
Improve this answer
1

C# uses \ as a control character. You can ignore those by prepending the string with an @ character:

String SQLServerInstanceNames = @"ussqlclus-db43\ussqlclusdb43; ussqlclus-db44\ussqltrysdb44; ussqltrys-db45\ussqltrysdb45;"
Improve this answer
0

Just update your code like this to include parmeters in INSERT statement 

SqlCommand myCommand = new SqlCommand("INSERT INTO [dbo].[Table1]" + 
        "([SQLServerInstanceNames])" + "VALUES (@SQLServerInstanceNames);", myConnection);
    myCommand.Parameters.AddWithValue("@SQLServerInstanceNames", "instance name");

Notice I updated VALUES part and added @SQLServerInstanceNames – this is how you add parameters to your query.

Now that you use parameters you won’t have to worry about special characters. These will be handled automatically.

Improve this answer

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.