Passing text to an access database

deadfingers · 31-01-2006 3:02pm #1

Hi,

I am creating a web app in c# that contains a text box. I have created a button event that calls a sql command to insert whatever is in the text box into the access database. The datatype in the access database is of type "Text". I persumed this would be of type string? The code below compiles fine but causes a runtime error when I hit the button that calls the sql command.

AccessDataSource1.SelectCommand = "INSERT INTO Monthly_Backup_Table (General_Desc) VALUES (TextBox1.Text)";

Funny enough the sql command works (kind of) when I use the following code

AccessDataSource1.SelectCommand = "INSERT INTO Monthly_Backup_Table (General_Desc) VALUES ('TextBox1.Text')";

It will insert TextBox1.Text into the access database but not the TextBox1.Text variable value.

Can anybody give any suggestions on how I may get this working??

Tobias Greeshman · 31-01-2006 3:26pm

C# won't interpolate the variables into a string like perl/php do so you'll have to split the string up.

Eg.
"INSERT .... (\'" + textbox1.text + "\')....

rsynnott · 01-02-2006 1:46am

Need I even say it, really?

SQL INJECTION.

deadfingers · 01-02-2006 9:37am

Thanks silas, that worked out for me.

Ok rsynnott what way should I do it to avoid sql injection.

rsynnott · 01-02-2006 1:38pm

Not being a .NET devotee, that I cannot answer without research. Go and read any basic database access tutorial for your platform.

stevenmu · 01-02-2006 4:53pm

You need to validate the text in your text box to make sure it doesn't contain any sql commands which would be executed when you execute your own command. There's plenty of stuff around the net to show what things to check for.

Ideally you'd use stored procedures instead of full sql commands, but access doesn't support them.

Passing text to an access database

Comments