How to fix problem when SQL query contain specail character ' apostrophe in where clause column value

Question

0.00/5 (No votes)

See more:

hi,
I need help how we can fix a problem when my query contain a ' in column value

foreach (var item in lstVendorNames)
                {
                    var lstQuery = "select * from Transactions where MasterId not in (Select masterId from BillDetails) and MasterId in (select MasterId from Transactions where Ledger='" + item + "') and Ledger= '" + item + "'";
                    SqlDataAdapter ada = new SqlDataAdapter(lstQuery, CGlobalTally_MT.sqlConnection);
                    DataTable dtvendBill = new DataTable();
                    ada.Fill(dtvendBill);

select * from Transactions where MasterId not in (Select masterId from BillDetails) and MasterId in (select MasterId from Transactions where Ledger='Aerostar's Security Group') and Ledger= 'Aerostar's Security Group'

I need help how to fix it it is coming for two vendors

What I have tried:

I tried to remove prefix but could not solved it

Posted 31-Jan-17 22:12pm

Member 10192073

Updated 31-Jan-17 22:54pm

v2

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Suvendu Shekhar Giri · Accepted Answer · 2017-01-31T22:54:00

First of all, your code is vulnerable to SQL Injection.[^]
And good news is, if you take care of prevention for SQL Injection, it will automatically solve your issue too.

Either you can create a stored procedure or consider creating parameterised query something like following-

C#

var lstQuery = @"select * from Transactions where MasterId not in (Select masterId from BillDetails) and MasterId in (select MasterId from Transactions where Ledger=@Ledger) and Ledger= @Ledger";
SqlCommand cmd = new SqlCommand(lstQuery, CGlobalTally_MT.sqlConnection);
cmd.Parameters.AddWithValue("@Ledger", item);
SqlDataAdapter ada = new SqlDataAdapter(cmd);
DataTable dtvendBill = new DataTable();
ada.Fill(dtvendBill);

Hope, it helps :)