Inserting string which contain single quotes ' in SQL

StackOverflow https://stackoverflow.com/questions/21137290

  •  28-09-2022
  •  | 
  •  

Question

I've seen so many solutions to this that I don't know which one to follow. I thought that what I have would work but upon further testing I have discovered that this is not true. I'm using VB to pick up MS Excel worksheets from a given file directory, extract the data, and insert into SQL data tables.

here's the part I need some help with:

 If saRet(linex, 11) <> "" Then
 IntDesc = (saRet(linex, 11).ToString.Replace("'", "''"))
 Echo("Internal description: " & IntDesc)
        Else
           Echo("No internal description given")
           IntDesc = ""
 End If

After tampering around with some test insert statements in SQL server studio I thought that replacing ' with '' worked. Sadly, not.

Here's an example of a string which makes the insert fail:

Set-up and Config of New Button on BP and UDF's for Despatch Process

and after my string manipulation, here's the Insert statement(I've blanked out some data which my company probably doesn't want to share, it's insignificant anyway):

NSERT INTO <tablename> VALUES ('2013-12-10', '12', '2013', 'AAAA', 'AAAA', '10668', 'JBT', 'Project - Config & System Build', 'CSB', '2', 'Y', 'N', '0', 'Set-up and Config of New Button on BP and UDF's for Despatch Process', 'Set-up and Config of New Button on BP and UDF''s for Despatch Process', '0', 'NULL')

Very grateful for any help! Thanks.

Was it helpful?

Solution

The best way is always using parameters. Those handle everything for you and you don't need to do any escaping.

If you can't use parameters, you have to do the encoding yourself, and that's very tricky. One way would be to use a format you can encode safely - for example, instead of inserting as a string literal, you might use binary encoding (eg. cast(0xAABBCCDD as varchar(max))). This is perfectly safe, since you can be sure that there's no invalid character that would break it. Of course, it also has its problems.

As for your example, replacing ' with '' works fine (although of course you'd have to watch out for other invalid characters, such as endlines). Your problem is that you didn't do the encoding on all the strings. In your sample, the last string has the proper encoding, the one before it does not. This also beautifully illustrates the pain of making sure you're encoding properly - and everything you miss means an error, or even a way to exploit the code and cause harm. For example, what if the description was ', ''0'', ''NULL''); delete from users --?

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top