Home/ Questions/Q 7816817
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-02T06:00:49+00:00

I have some saved text in a session list that i want to save

  • 0

I have some saved text in a session list that i want to save in a database. Currently,
result holds 4 different strings.

List<string> result = (List<string>)HttpContext.Current.Session["Application"];

foreach (string element in result)
{
    //produce a query string?        
}

I am using oracle database and a query string for the other inserts for example:

string sql = "insert into JOBQUESTIONS (JOBAPPLICATIONID, QUESTIONTEXT, TYPEID, HASCORRECTANSWER, CORRECTANSWER, ISREQUIRED) VALUES (" + JobID + ", \'" + QuestionText + "\', " + TypeID + ", " + HasCorrectAnswer + ", \'" + CorrectAnswer + "\', " + IsRequired + ")";
RunQuery(sql);

So, i need to create a set of values. However keep in mind these are all strings so i will need to have \’ \’ like: \'” + CorrectAnswer + “\’ for all entries of strings or it wont add to the database.

Can i use string builder? If so how?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Why are you building a SQL String (That opens you up to SQL Injection)? I would suggest either using an ORM (Entity Framework is the MSDN ORM, or a sproc that will do this (and use SqlParameters). Or, at minimum you should be using a parameterized string instead of pushing values in directly

    var parameterizedQuery = new SqlCommand(
    "INSERT INTO JOBQUESTIONS (JOBAPPLICATIONID, 
        QUESTIONTEXT, TYPEID, HASCORRECTANSWER, CORRECTANSWER, ISREQUIRED) 
    VALUES (@JobId, '@QuestionText', @TypeID , @HasCorrectAnswer , '@CorrectAnswer',
        @IsRequired)");

parameterizedQuery.Parameters.Add("@JobId", SqlDbType.Int).Value = 123;
    • 0