C# escaping quotes?

D

des1roer2015-09-24 08:08:46

C++ / C#

des1roer, 2015-09-24 08:08:46

C# escaping quotes?

the question is quite simple. how to escape double quotes when querying the database and how to deal with long strings?

string sql = "SELECT  \"ID_TagName\", \"F_ComPort\", \"F_ComPortBaudRate\", \"F_ComQuery\", \"F_ParseFunction\", \"F_TagReadTime\", \"F_AnswerLenght\", \"F_AnswerKey\", ";
                sql += "\"F_AnswerKeyPosition\", \"F_ComPortIPAdress\", \"F_ComPortParity\", \"F_ComPortDataBits\", \"F_ComPortStopBit\", \"F_ComPortFlowControl\", ";
                sql += "\"F_ComPortTimeOut\" FROM \"SC_Tag\".\"T_TagName\" as tn,\"SC_Tag\".\"T_HardWareTag\" as hw , \"SC_Tag\".\"T_RealHardWare\" as rh where ";
                sql += "rh.\"ID_RealHardWare\" = hw.\"F_RealHardWare_ID\" and tn.\"F_HardWare_ID\" = hw.\"F_TagName_ID\" and lower(\"F_ServerName\") =lower(\'" + my_name + "\') and \"F_ComPortIPAdress\" = '127.0.0.1' ";

and then it vyviglaz full

Reply

Answer the question

In order to leave comments, you need to log in

4 answer(s)

D

des1roer, 2015-09-24
@des1roer

magic dog around the head. True quotes need to be written twice

string sql = @"SELECT ""ID_TagName"",
                                   ""F_ComPort"",
                                   ""F_ComPortBaudRate"",
                                   ""F_ComQuery"",
                                   ""F_ParseFunction"",
                                   ""F_TagReadTime"",
                                   ""F_AnswerLenght"",
                                   ""F_AnswerKey"",
                                   ""F_AnswerKeyPosition"",
                                   ""F_ComPortIPAdress"",
                                   ""F_ComPortParity"",
                                   ""F_ComPortDataBits"",
                                   ""F_ComPortStopBit"",
                                   ""F_ComPortFlowControl"",
                                   ""F_ComPortTimeOut""
                            FROM ""SC_Tag"".""T_TagName"" AS tn,
                                 ""SC_Tag"".""T_HardWareTag"" AS hw,
                                 ""SC_Tag"".""T_RealHardWare"" AS rh
                            WHERE rh.""ID_RealHardWare"" = hw.""F_RealHardWare_ID""
                              AND tn.""F_HardWare_ID"" = hw.""F_TagName_ID""                              
                              AND ""F_ComPortIPAdress"" = '127.0.0.1'
                              AND lower(""F_ServerName"") =lower('" + Name + "')";

A

Artem Voronov, 2015-09-24
@newross

Why don't you use query parameters? And the code will be readable, unlike what it is now, and there will be fewer problems with escaping.

string commandText = "UPDATE Sales.Store SET Demographics = @demographics WHERE CustomerID = @ID;";
SqlCommand command = new SqlCommand(commandText, connection);
command.Parameters.Add("@ID", SqlDbType.Int);
command.Parameters["@ID"].Value = customerID;
command.Parameters.AddWithValue("@demographics", demoXml);

V

Vitaly Litvinyuk, 2015-09-24
@Dzhamal

In sql queries, the names of tables and columns do not need to be quoted. If the name of the table/column matches the reserved one, for example User, you write the name in square brackets (example [User]).
Long lines can be written with a hyphen like this:

var longString = "long string "
        + "long string "
        + "long string";

R

Roman, 2015-09-24
@yarosroman

In the enumeration of fields in select, it is not necessary to enclose them in quotation marks, as well as table names (except when they match reserved SQL expressions). this query SELECT Id,Name,EMail,Age,City FROM Sample.dbo.Users works just fine, without a bunch of quotes.