Home/ Questions/Q 7949825
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-04T02:05:17+00:00

I have a function in VB.NET that runs a query from an MS SQL

  • 0

I have a function in VB.NET that runs a query from an MS SQL DB, puts the results into temporary variables, then updates an Oracle DB. My question is, if the string in the MS SQL contains a single quote ( ‘ ), how do I update the Oracle DB for something that has that single quote?

For example: Jim’s request

Will produce the following error: ORA-01756: quoted string not properly terminated

The ueio_tmpALM_Comments (coming from MS SQL) is the culprit that may or may not contain the single quote.

update_oracle =
"update Schema.Table set ISSUE_ADDED_TO_ALM = '1'," & _
"ISSUE_COMMENTS = '" & ueio_tmpALM_Comments & "'," & _
"where ISSUE_SUMMARY = '" & ueio_tmpALM_Summary & "' "
Dim or_cmd_2 = New NetOracle.OracleCommand(update_oracle, OracleConn)
or_cmd_2.ExecuteNonQuery()
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    From your question it’s clear that you are building the update query using string concatenation.
    Something like this

    Dim myStringVar as string = "Jim's request"
Dim sqlText as String = "UPDATE MYTABLE SET MYNAME = '" + myStringVar + "' WHERE ID = 1"

    this is a cardinal sin in the SQL world. Your code will fail for the single quote problem, but the most important thing is that this code is subject to Sql Injection Attacks.

    You should change to something like this

    Dim cmd As OraclCommand = new OracleCommand()
cmd.Connection = GetConnection()
cmd.CommandText = "UPDATE MYTABLE SET MYNAME = :myName WHERE ID = 1"
cmd.CommandType = CommandType.Text
cmd.Parameters.AddWithValue(":myName", myStringVar)
cmd.ExecuteNonQuery()
    • 0