Home/ Questions/Q 8226765
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-07T15:53:22+00:00

getting Error while executing this query , because column text may contain text with

  • 0

getting Error while executing this query , because column text may contain text with single quotes also. How can i use this query w/o any error
My code is

public bool updateCMStable(int id, string columnName, string columnText)
{
    try
    {
        string sql = "UPDATE  CMStable SET " + columnName + 
                      "='" + columnText + "' WHERE cmsID=" + id;
        int i = SqlHelper.ExecuteNonQuery(Connection.ConnectionString,
                                          CommandType.Text,
                                          sql);
        if (i > 0)
        {
            return true;
        }
        else
        {
            return false;
        }
    }
    catch (Exception ee)
    {
        throw ee;
    }
}
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    To fix your code, escape all single quotes with an additional single quote. However I agree with Oded… you need to be using a parameterized query, or possibly a stored proc.

    public bool updateCMStable(int id, string columnName, string columnText) 
{ 
   if(!string.IsNullOrEmpty))
   {
       switch(columnName)
       {
           // TODO: change 50 & 100 to the real sizes of your columns, 
           // and obviously the column names too...
           case "column1":
               if(columnText.Length > 50)
                   columnText = columnText.SubString(0, 50);
               break;
           case "column2":
               if(columnText.Length > 100)
                   columnText = columnText.SubString(0, 100);
               break;
           etc... 
        }
    }
    // replace single quote with double single quotes
    columnText = columnText.Replace("'", "''");
    string sql = string.Format("UPDATE CMStable SET {0} = '{1}' WHERE cmsID={2}", 
        columnName, 
        columnText, 
        id); 
    int i = SqlHelper.ExecuteNonQuery(Connection.ConnectionString, CommandType.Text, sql); 
    return (i > 0); 
}

    I made some additional corrections to your code.

    1. You can simply return the result of an if statement when you’re returning true | false
    2. You don’t need to catch exceptions if you’re simply going to throw it in the catch block
    3. If you DO catch an exception, do something meaningful with it, and decide to rethrow it, use throw by itself, or you’ll reset the stack trace. Don’t use throw ee;
    4. Replace + type concatination with string.Format if it becomes too unreadable.

    Edit:

    The error you posted is happening because the length of the data being passed in is longer than the specified length of the column. Since you’re using dynamic SQL, the only way around it that I can see is to use a case statement. Each field may have a different size, or maybe not, but the string will have to be truncated to fit to avoid the error. If all the field sizes are the same, you won’t need the case statement.

    • 0