Home/ Questions/Q 9269873
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-18T15:13:53+00:00

Hello everyone i am creating a settings page for another application using mvc4. In

  • 0

Hello everyone i am creating a settings page for another application using mvc4. In the settings page:

1.It contains two text areas wherein the user can type anything.

2.After typing if the user clicks submit button, the text he has written is saved in a sql database.

3.The main application will read that data from the database and display it.

Here are my respective codes:

Model:

 public string PartnerInfo1 { get; set; }
 public string PartnerInfo2 { get; set; }

Controller:

[HttpPost]
        public ActionResult Index(AddDetailModel model)
        {
            pinfo1 = model.PartnerInfo1;
            pinfo2 = model.PartnerInfo2;
            SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["Sample"].ConnectionString);
            con.Open();
            SqlCommand cmd = new SqlCommand("update dbo.Partner_Design set PartnerInfo1='" + pinfo1 + "',PartnerInfo2='" + pinfo2 + "' where [PartnerID]='cs'", con);
            cmd.ExecuteNonQuery();
            return RedirectToAction("Index");
        }

and in the view:

 @Html.TextAreaFor(m => m.PartnerInfo1)
@Html.TextAreaFor(m => m.PartnerInfo2)

in the database, the corresponding table contains two columns PartnerInfo1,PartnerInfo2 and their datatype is nvarchar(max).

My problem is when i type apostrophe in text area it gives me error.For example if i type “world’s” it gives error on clicking submit button.

This is the error:

Incorrect syntax near 's'.
Unclosed quotation mark after the character string ''.

Please suggest what i can do to avoid this.Any help would be appreciated.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Your method expose your query to sql injection attacks. You are much better using a parameterised query which will sort out your ' issue as well.

    string connString = ConfigurationManager.ConnectionStrings["Sample"].ConnectionString;

using (SqlConnection con = new SqlConnection(connString))
{
   SqlCommand cmd = new SqlCommand("Update dbo.Partner_Design " +
                                    "Set PartnerInfo1=@pinfo1, " +
                                        "PartnerInfo2=@pinfo2 " +
                                    "Where [PartnerID]=@partnerId", con);

   cmd.Parameters.AddWithValue("@pinfo1", model.PartnerInfo1);
   cmd.Parameters.AddWithValue("@pinfo2", model.PartnerInfo2);
   cmd.Parameters.AddWithValue("@partnerId", "cs");
   con.Open();
   cmd.ExecuteNonQuery();
}
    • 0