string concatation in sql query

Question

i am having confusion with this string concatenation could some body please brief me how this string concatenation taking place? The confusion i am having is that, how this +, "", ' are working in this

int i = Magic.Allper("insert into tbl_notice values ('" + Label1.Text + "','" + companyTxt.Text + "','" + txtBranch.Text + "','" + dateTxt.Text + "'  ,'" + reportingTxt.Text + "','" + venueTxt.Text + "','" + eligibilityTxt.Text + "')");

How to ask questions - tinyurl.com/so-hints

Oded
– Oded

2010-12-07 15:13:22 +00:00
Commented Dec 7, 2010 at 15:13 — Oded
– Oded, Commented Dec 7, 2010 at 15:13
en.wikipedia.org/wiki/SQL_injection

Austin Salonen
– Austin Salonen

2010-12-07 15:15:09 +00:00
Commented Dec 7, 2010 at 15:15 — Austin Salonen
– Austin Salonen, Commented Dec 7, 2010 at 15:15

greenimpala · Accepted Answer · 2010-12-07 15:17:46Z

3

Anything between two " characters is taken as a String in Java so "','" produces ','. SQL requires Strings wrapped in '. So "'" + venueTxt.Text + "'" parses to 'variable value' when the query is made.

answered Dec 7, 2010 at 15:17

greenimpala

3,9863 gold badges33 silver badges39 bronze badges

Sign up to request clarification or add additional context in comments.

2 Comments

NoviceToDotNet Over a year ago

sir why we have to use + sign in that, can't we directly use the comma sign and proceed..and if we are using the + sign and puting the string in double quotes, dont we need to put the comma too in double quotes using the +sign ?

greenimpala Over a year ago

A String literal is different from a variable, we need to grab the value of the variable (it may be a String or an int or double etc) and then join them together with the rest of the statement (using +).

Sathyajith Bhat · Accepted Answer · 2010-12-07 15:23:07Z

("insert into tbl_notice values ('" + Label1.Text + "','" + companyTxt.Text + "','" + txtBranch.Text + "','" + dateTxt.Text + "' ,'" + reportingTxt.Text + "','" + venueTxt.Text + "','" + eligibilityTxt.Text + "')");

Assuming that

Label1= Hello
companyTxt = ABC
txtBranch = Engineering
dateTxt = 2010-12-01
reportingTxt = Fergusson
venueTxt = Batcave
eligibilityTxt = No

The above values are replaced in the SQL statement, making it look like

("insert into tbl_notice values ('" + Hello + "','" + ABC + "','" + Engineering + "','" + 2010-12-01 + "' ,'" + Fergusson + "','" + Batcave + "','" + No + "')");

The "+" operator joins the string values, resulting in

("insert into tbl_notice values ('Hello','ABC','Engineering','2010-12-01' ,'Fergusson','Batcave','No')")

Will Marcouiller · Accepted Answer · 2010-12-07 15:31:17Z

2

I strongly recommend that you don't use string concatenation in SQL queries. They provoque SQL injections. This will cause security issues.

What is SQL Injection?

In response to your question, this concatenation simply takes every TextBox.Text property value and concatenate it into your insert statement.

I strongly recommend that you're using parameterized queries using ADO.NET lise the following example (assuming SQL Server):

using (var connection = new SqlConnection(connString))
    using (var command = connection.CreateCommand()) {
        string sql = "insert into tbl_notice values(@label1, @companyTxt, @txtBranch, @dataTxt, @reportingTxt, @venueTxt, @eligibilityTxt)";

        command.CommandText = sql;
        command.CommandType = CommandType.Text;

        SqlParameter label1 = command.CreateParameter();
        label1.ParameterName = "@label1";
        label1.Direction = ParameterDirection.Input;
        label1.Value = Label1.Text;

        SqlParameter companyTxt = command.CreateParameter();
        companyTxt.ParameterName = "@companyTxt";
        companyTxt.Direction = ParameterDirection.Input;
        companyTxt.Value = companyTxt.Text;

        // And so forth for each of the parameters enumerated in your sql statement.

        if (connection.State == ConnectionState.Close)
            connection.Open();

        int rowsAffected = command.ExecuteNonQuery();
    }

edited Dec 7, 2010 at 15:31

answered Dec 7, 2010 at 15:18

Will Marcouiller

24.3k26 gold badges100 silver badges166 bronze badges

2 Comments

Guy Over a year ago

+1 to remove downvote. I'd also like to introduce Java programmers to "stored procedures"

Will Marcouiller Over a year ago

@Guy: Thanks! Despite I really don't know why the downvote. Anyway! It doesn't matter! =)

hunter · Accepted Answer · 2010-12-07 15:44:31Z

I would use the string.Format method for clarity

int i = Magic.Allper(string.Format("insert into tbl_notice values ('{0}','{1}','{2}','{3}','{4}','{5}','{6}')", 
    Label1.Text, 
    companyTxt.Text, 
    txtBranch.Text, 
    dateTxt.Text, 
    reportingTxt.Text,
    venueTxt.Text, 
    eligibilityTxt.Text));

You might also want to create an extension method that will make sure the strings are safe to pass to SQL in this fashion

public static string ToSqlFormat(this string mask, params string[] args)
{
    List<string> safe = args.ToList();
    safe.ForEach(a => a.Replace("'", "''"));
    return string.Format(mask, safe);
}

which will let you write

string insert = "insert into tbl_notice values ('{0}','{1}','{2}','{3}','{4}','{5}','{6}')";
int i = Magic.Allper(insert.ToSqlFormat( 
    Label1.Text, 
    companyTxt.Text, 
    txtBranch.Text, 
    dateTxt.Text, 
    reportingTxt.Text,
    venueTxt.Text, 
    eligibilityTxt.Text));

Collectives™ on Stack Overflow

string concatation in sql query

4 Answers 4

2 Comments

Comments

2 Comments

Comments

Your Answer

Hot Network Questions

Collectives™ on Stack Overflow

4 Answers 4

2 Comments

Comments

2 Comments

Comments

Your Answer

Sign up or log in

Post as a guest

Related