How to properly escape quotes being written to db

Renkai · June 3, 2011, 8:42pm

I have a form that is writing user info to a database.

My save function has this:

User.SetValue("FirstName", txtFirstName.Text)
User.SetValue("LastName", txtLastName.Text)
User.SetValue("Email", txtEmail.Text)
User.SetValue("City", txtCity.Text)
User.SetValue("Password", txtPassword.Text)

Some users are getting errors, and my testing indicates it has to do with unescaped quotes… Is there some function I can use to filter these text fields prior to running the save function here?

Should I use server.htmlencode, or is there a better recommendation? Thanks

praetor · June 4, 2011, 6:44am

No NO NO! This is not php. Your save function sohuld use parameterized queries and NOT concat values. This is basic Ado.Net usage.
If you want something to use faster, try PetaPoco.