Encoding user input
-
Hey, Are there any predefined functions in .NET to encode user input for SQL statement compatablity (ie. change "'" to "\'", etc)? So: "Sam's cat died." would become "Sam\'s cat died." Thanks, Adam -- Adam "If you can't beat your computer in chess, try kickboxing"
-
Hey, Are there any predefined functions in .NET to encode user input for SQL statement compatablity (ie. change "'" to "\'", etc)? So: "Sam's cat died." would become "Sam\'s cat died." Thanks, Adam -- Adam "If you can't beat your computer in chess, try kickboxing"
You should avoid encoding user input into your SQL queries. This is a major security hole:
SELECT MyColumn FROM MyTable WHERE MyOtherColumn={1}can becomeSELECT MyColumn FROM MyTable WHERE MyOtherColumn=0; DELETE FROM MyTableA better solution is to use stored procedures and pass user input as their parameters. Alexandre Kojevnikov MCAD charter member Leuven, Belgium -
Hey, Are there any predefined functions in .NET to encode user input for SQL statement compatablity (ie. change "'" to "\'", etc)? So: "Sam's cat died." would become "Sam\'s cat died." Thanks, Adam -- Adam "If you can't beat your computer in chess, try kickboxing"
If you are using SqlCommand's or DataAdpaters, you can use parameters for your values and it will automatically encode them for you. When you specify you DataAdpater query you can put: SELECT au_id, au_lname, au_fname from authors where au_fname = @au_fname Then in your command: myCmd.Parameters["@au_fname"].value = "'any'''input"; And all should be well. Another approach is to simply to a string replace on your input replacing all single quotes with two single quotes. Rocky Moore <><