This question already has an answer here:
- Why do we always prefer using parameters in SQL statements? 7 answers
Background
There is an application where users are required to enter information that will be stored in a DB. I then have an application that runs every 5 minute and gets the information that was entered by the user using the previous application. My app then grabs all the information from the database and then proceed to do create the given document and then places it in a server for the user to get. However users started having issues with a specific document, where certain functionalities were not executing correctly. So I identified the issue as being the string which a user entered in the entry application, in the title column they had "Jame's Bond Story" so my application creates the document and does not have any issue what so ever. So after debugging I identified the following problem.
Problem
Not sure how the specific user did what he did but the single quote '
was not really a single quote but some other type of weird character anomaly. I proved this by running the following code to see if I can remove it.
string cleanTitle = BookRec.TitleName.Replace("'","");
However this did not work for me at all. I then broke the string into a character array and instead of getting the character I got a weird digit. So then I proceeded into using this regex code to clean every character and only allow numbers and letters.
string cleanTitle = Regex.Replace(BookRec.TitleName, "[^\\w\\. _]", "");
This has now become an issue because the users want the Title to contain special the following characters ( ) _ , - .
I am looking for a way to to filter out any characters including the type I ran into this week and only allow the 6 characters which the users have agreed to. I can up with the following regex formula bu I am getting an empty string.
Regex fomrula = new Regex(@"^[a-zA-Z0-9_\[])(,\-.'");
However I am getting an empty string when I am replacing the title. I am not a big fan of regex, I am also open to a a sub string approach to this as well.
Appended Information
I am not able to access the application that inserts the information to the given database. I am only able to read from the database and then preform actions.