When I insert single quote in search box and press search button it gives error like:<blockquote>
[Microsoft][SQL Server Native Client 10.0][SQL Server]Unclosed quotation mark after the character string ' '.</blockquote> Answer1:
You should be using <a href="http://www.enterprisedb.com/documentation/dotnet-parameterizedqueries.html" rel="nofollow">parameterized queries</a> instead of constructing your SQL by concatenation.
This will avoid <a href="http://en.wikipedia.org/wiki/SQL_injection" rel="nofollow">SQL Injection attacks</a> as well as resolve any single quote issues.
The quick fix it to escape the
' by doubling it (
''), but this would just be a temporary workaround and your code will still be vulnerable.
Parameterize your SQL queries. There are more serious issues than this called <a href="http://en.wikipedia.org/wiki/SQL_injection" rel="nofollow">SQL Injection</a>.Answer3:
You need to escape single quotes, like \' as you're using single quotes to surround where-statements, like where i = 'foo', then you need to write where i = '\'' to match a single quote, or lie where i = 'it\'s a good day today'