Search code examples
c#mysqlphpmyadminapostrophe

How to pass a C# variable with apostrophe through MySql


I'm having a problem inputting variables into my database. I've seen other posts on how to pass a variable through by just escaping it, but those solutions do not apply because I am getting my variable's through an API. I'm cycling though data with a foreach loop by the way.

level = "" + x.Account_Level + "";
name = "" + x.name + "";
command.CommandText = "INSERT INTO `data` (`level`, `name`) VALUES(" + level + ", " + name + ")";
command.ExecuteNonQuery();  

Sometimes, a variable will come back with an apostrophe and will screw up the code. Is it possible to insert a slash before every apostrophe or is there a way like in PHP to just push the whole variable through with single quotes? Thanks!

Edit: Would this work? I think I need to add the i to change the name of the parameter each loop, due to it claiming the parameter as already declared.

using (var web = new WebClient())
        {
        web.Encoding = System.Text.Encoding.UTF8;
        var jsonString = responseFromServer;
        var jss = new JavaScriptSerializer();
        var MatchesList = jss.Deserialize<List<Matches>>(jsonString);
        string connectString = "Server=myServer;Database=myDB;Uid=myUser;Pwd=myPass;";
        MySqlConnection connect = new MySqlConnection(connectString);
        MySqlCommand command = connect.CreateCommand();
        int i = 1;


        connect.Open();
        foreach (Matches x in MatchesList)
        {

            command.CommandText = "INSERT INTO `data` (`level`, `name`) VALUES(?level" + i + ", ?name" + i + ")";

             command.Parameters.AddWithValue("level" + i, x.Account_Level);
             command.Parameters.AddWithValue("mode" + i, x.name);

            command.ExecuteNonQuery();
            i++;
        }
        connect.Close();                    
    }

Solution

  • The quick and dirty fix is to use something like:

    level = level.Replace("'","whatever");
    

    but there are still problems with that. It won't catch other bad characters and it probably won't even work for edge cases on the apostrophe.

    The best solution is to not construct queries that way. Instead, learn how to use parameterised queries so that SQL injection attacks are impossible, and the parameters work no matter what you put in them (within reason, of course).

    For example (off the top of my head so may need some debugging):

    MySqlCommand cmd = new MySqlCommand(
        "insert into data (level, name) values (?lvl, ?nm)", con);
    cmd.Parameters.Add(new MySqlParameter("lvl", level));
    cmd.Parameters.Add(new MySqlParameter("nm", name)); 
    cmd.ExecuteNonQuery();