Home/ Questions/Q 323787
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-12T09:03:48+00:00

Very simple question (surprisingly I can’t find a similar question anywhere): how do I

  • 0

Very simple question (surprisingly I can’t find a similar question anywhere): how do I escape form data in VB.net? I have various lines like this:

Dim query As String = "exec sp_Message_insert @clientid='" + pClientId + "', @message='" + pMessage + "', @takenby='" + pUserId + "', @recipients='" + pRecipients + "'"

If I use an apostrophe in the message then of course this screws up the query. I’ve looked through the intellisense functions on the string but don’t see anything appropriate…

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    What exactly do you mean by escaping? VB.NET doesn’t have ‘escaping’ in the same way that c-style languages do.

    Now, if you want to ensure that there are no single-qoutes in the pClientId variable, then you have two options:

    Option 1 (not recommended for this scenario): do a simple replace. I.e. 

    pClientId = String.Replace(pClientId, "'","''")

    But, as noted, I would NOT do this for what appears to be a SQL Command. What I would do is
    Option 2: use data parameters to pass parameters to your DB during sql commands

    For example:

    Dim cn As New SqlConnection(connectionString)
Dim cmd As New SqlCommand
cn.Open
cmd.Connection=cn
cmd.CommandType=CommandType.StoredProcedure
cmd.CommandText= "sp_Message_insert"
cmd.Parameters.add(New SqlParameter("@clientid", pClientId)
cmd.Parameters.add(New SqlParameter("@message", pMessage)
cmd.Parameters.add(New SqlParameter("@takenby", pUserId)
cmd.Parameters.add(New SqlParameter("@recipients", pRecipients)
cmd.ExecuteNonQuery
    • 0