I'm trying to follow this video that teaches how to inserting data to database with Visual Studio C#. The place I'm stuck on is the syntax in the string Query (you'll know what I'm mean when seeing the video). The code can be seen at the 5:36 mark. I'm confused by the single, double quotes and the + sign in the portions after values (.... Are + signs required in the parameter, or they are used to concatenate. Please help this novice who is trying to learn the language of C#. Much appreciated.
Edit:
string Query="insert into database.edata (Eid,name,surname,age) values('"+this.Eid_txt.Te...
Ok. The insert statement is this (a bit simplified since I cannot see the rest in the video):
"insert into database.edata (Eid) values ('"+this.Eid_txt.Text + '")";
The + sign is used for concatenation of the strings. The single quotes are required as a part of T-SQL to quote the strings. The double quote is to end the C# string and concatinate it and the value of the text box.
That being said, this is an outdated method of doing this. You should be using Sql parameters instead of concatinating strings this way.
Related
I have a C# program where I stored a long SQL query in a resource file (sql.resx).
In my query I have a special currency character (¤). When my program gets the query from the resource file and executes it on SQL Server, the currency character (¤) appears as an unsupported character. On appending character ¤ to the result it appears as � instead of ¤.
For me it seems like an encoding issue in C#.
Here's an excerpt from the query, where things are correct:
and tb.beward = b.beward and tb.beroom = b.beroom and tb.beidnr = b.beidnr
and wp.wpspecialbranch = c.tunnus
and ((b.beward + '¤' + b.beroom + '¤' + b.beidnr) LIKE #SCHEDULE
and
((tb.beward + '¤' + tb.beroom + '¤' + tb.beidnr) LIKE #SCHEDULE))
And here's what I'm observing:
and tb.beward = b.beward and tb.beroom = b.beroom and tb.beidnr = b.beidnr
and wp.wpspecialbranch = c.tunnus
and ((b.beward + '�' + b.beroom + '�' + b.beidnr) LIKE #SCHEDULE
and
((tb.beward + '�' + tb.beroom + '�' + tb.beidnr) LIKE #SCHEDULE))
This happens when I copy the query from debug mode and paste in SQL Server Management Studio.
Note: It was working fine on my server few days before, but isn't working now. There must be some changes happened on my server, but I'm not sure what.
I think there are two issues here.
First, in SQL Server, string literals with wide characters need the N prefix:
b.reward + N'¤'
Second, the character encoding for the *.resx file is probably wrong, or you'd at least see the character in the window, even if Sql Server didn't read it properly.
If this was working a few days ago, possibly someone opened and saved the file with a program that only knows how to do ASCII, and your special character was mangled. You'll need to fix the file.
If this came from the Visual Studio debug window — which is notorious for mangling values while trying to be "helpful" — you might not even be looking in the right place.
I also have three items for you separate from the question.
Looking at the SQL, this isn't gonna perform well. The concatenation going on here makes any indexes on those columns worthless. You will get much better performance... probably orders of magnitude, if you structure the query to not require concatenating those columns. At least, possibly a computed column with a FULL-TEXT index, could make this query drastically faster.
Logically, the SQL is also doing extra work. If the beward, beroom, beidnr columns already match between the two tables, you only need to concatenated and test ONE of them against the #SCHEDULE input. They have the same values, so if one matches (or not), the other must have the same result.
In the future, please PASTE THE CODE into your question. Images don't work as well here. It saves you work, too.
In SQL Server
You need to use the datatype Nvarchar which is able to store unicode characters.
To declare a string literal as nvarchar you need to prefix it with N', without it is just a normal varchar. Varchars allow only characters in the specified underlying collation.
b.reward + N'¤'
Currently I am storing data in form of jsons (strings) on a database. As jsons contain quotation marks though and the database I am using is unable to store quotation marks in this form: " it converts all quotation marks (like this one :") to "
Unity will therefor not allow me to deserialize the json anymore as it now looks somewhat like this:
{"coins":0,"level":0,"kills":0,"deaths":0,"xp":0.0}
instead of like this:
{"coins":0,"level":0,"kills":0,"deaths":0,"xp":0.0}
Obviously a possible solution to this would be to find all the parts of my json string containing ", storing a reference to these parts and then converting all of those parts to a simple "
Therefore I would ask you how I would go about doing this.
You can use String.replace(""","\"") and than String.split, but maybe you need to think about moving to a database that supports JSONs, like mongodb. Other direction to solve this: have you tried placing the " as \"?
The Database is doing a good job by encoding the text for you thereby preventing Hacks!! It is simply doing text encoding for you.
All you have to do is Decode the text before using it. If there are chances that double quote is part of the data then you should be careful while reverse converting the encoded text. Refer to this MSDN resource Anti-Cross Site Scripting Library to get better insight into topic
In our C# desktop-application we generate a lot of dynamic sql-queries. Now we have some troubles with single quotes in strings. Here's a sample:
INSERT INTO Addresses (CompanyName) VALUES ('Thomas' Imbiss')
My question is: How can I find and replace all single quotes between 2 other single quotes in a string? Unfortunately I can't replace the single quotes when creating the different queries. I can only do that after the full query is created and right before the query gets executed.
I tried this pattern (Regular Expressions): "\w\'\w"
But this pattern doesn't work, because after "s'" there's a space instead of a char.
I am sorry to say, there is no solution in approach you expect.
For example, have these columns and values:
column A, value ,A',
column B, value ,B',
If they are together in column list, you have ',A',',',B','.
Now, where is the boundary between first and second value? It is ambiguous.
You must take action when creating text fields for SQL. Either use SQL parameters or properly escape qoutes and other problematic characters there.
Consider showing the above ambiguous example to managers, pushing the whole problem back as algorithmically unsolvable at your end. Or offer implementing a guess-work and ask them whether they will be happy if content of several text fields can get mixed in some cases like above one.
At time of SQL query creation, if they do not want to start using SQL parameters, the solution for enquoting any input string is as simple as replacing:
string Enquote(string input)
{
return input.All(c => Strings.AscW(c) < 128) ? "'" : "N'"
+ input.Replace("'", "''")
+ "'"
}
Of course, it can have problem with deliberately malformed Unicode strings (surrogate pairs to hide ') but it is not normally possible to produce these strings through the user interface. Generally this can be still faster than converting all queries to versions with SQL parameters.
I have a webapp created using C# and asp.net. I placed a parameter value in the querystring with a plus(+) sign. But the plus sign disappear.
How can I include the plus sign(+) in the query string without disappearing?
Here I found the same question and according to it, I have used Server.UrlEncode(myqerystring) and the time of decoding Server.UrlDecode(myqerystring) but some how it always resolves to the SPACE here is watch window
1) Querystring after the Server.UrlEncode()
2) Querystring after the Server.UrlDecode()
notice the space between S and R it should be +. I am new to all web development and I read other answers which says use UrlEncode and decode but it giving the same issue as before am I doing something wrong and yes the query string is automatically generated. I have no control over it.
There is other hack replace the " " or "%2b" with "+" I will go to that if I dont find any good way. So is there any good way to do this. Thanks.
The answer you link to just mentions using Server.UrlEncode, not Server.UrlDecode. When you read from Request.Querystring it automatically decodes the string for you. Doing it manually a second time is corrupting it and is why you're getting a space.
You can take a look at http://msdn.microsoft.com/en-us/library/zttxte6w(v=vs.110).aspx
Although this might help
string destinationURL = "http://www.contoso.com/default.aspx?user=test";
NextPage.NavigateUrl = "~/Finish?url=" + Server.UrlEncode(destinationURL);
Regarding plus sign you can not do this as '+' sign has semantic meaning in query string
Take a look at Plus sign in query string
EDIT
Have you used '+' sign while using google search. This provide different results.
I'm coding a GUI using WPF and Expression Blend for an application which is using SQLite as the database where to store its data.
I made several TextBox where the user can input the data they want to add or modify in the database. But if an user inputs the double quotes character an exception will be generated because I'm using the double quotes character in the queries for the strings.
So I'm looking for a way to prevent the user to introduce a double quote character directly. Is it possible?
Note: if relevant the implementation of SQLite in C# I'm using is csharp-sqlite.
You should be using parameterized queries rather than generating the SQL as a string and executing that string. There are quite a lot of things other than just double quotes that users could enter into the textbox that would break your query (just look up SQL injection as commented earlier) and using parameters solves all of the cases. If you try to handle every case yourself you WILL miss something, it's only a question of whether anyone figures it out or not.