How Can I Safely Insert Data with Single Quotes into an Access Database Using Parameters?

Use parameters to handle single quotes in Access database insertion operations

When using SQL statements to insert data into an Access database, you may encounter problems if the text contains single quotes. To solve this problem, it is recommended to use parameters.

Add original code for book rating:

<code>[WebMethod]
public void bookRatedAdd(string title, int rating, string review, string ISBN, string userName)
{
    //...
    cmd.CommandText = @"INSERT INTO bookRated([title], [rating],  [review], [frnISBN], [frnUserName])VALUES('" + title + "', '" + rating + "','" + review + "','" + ISBN + "', '" + userName + "')";
    //...
}</code>

To use parameters, follow these steps:

1. Replace hardcoded parameters with placeholders:

<code>INSERT INTO bookRated([title], [rating],  [review], [frnISBN], [frnUserName])VALUES(@title, @rating, @review, @isbn, @username)</code>

2. Add named parameters to the command:

<code>[WebMethod]
public void bookRatedAdd(string title, int rating, string review, string ISBN, string userName)
{
    //...
    cmd.Parameters.AddRange(new OleDbParameter[]
    {
        new OleDbParameter("@title", title),
        new OleDbParameter("@rating", rating),
        //...
    });
    //...
}</code>

This approach ensures that single quotes in text are handled correctly when inserting data into an Access database.

The above is the detailed content of How Can I Safely Insert Data with Single Quotes into an Access Database Using Parameters?. For more information, please follow other related articles on the PHP Chinese website!