Escape special characters in SQL INSERT INTO via C#

c# sql sql-server escaping
20,890

Solution 1

You should always use parameterized querys. They help you avoid situations like the one you are having, as well as SQL Injection attacks

sqlCom.CommandText = "INSERT INTO dbo.Table(userId, imagePath, userComments, dateCommented) VALUES (@userId, @imagePath, @userComments, @dateCommented)";

sqlCom.Parameters.AddWithValue("@userId", userId);
sqlCom.Parameters.AddWithValue("@imagePath", imagePath);
sqlCom.Parameters.AddWithValue("@userComments", comments);
sqlCom.Parameters.AddWithValue("@dateCommented", theDate);

Solution 2

You need to duplicate the ' character in comments 

comments = comments.Replace("'", "''");

Alternatively, but more safety, is to use Sql parameter, example : 

cmd.CommandText = "SELECT * FROM Client, Project WHERE Client.ClientName = @ClientName AND Project.ProjectName = @ProjectName";

cmd.Parameters.Add(new SqlParameter("@ClientName",client.SelectedValue));

cmd.Parameters.Add(new SqlParameter("@ProjectName",projnametxt.Text));

Solution 3

You should NEVER do this...because it allows for easy SQL injection. I could inject malicious sql queries through a comment, something like...

 ;drop database master;

use parameters instead to avoid sql injection

command.Parameters.Add(new SqlParameter("@Param", value));
Share:
20,890
frank billy
Author by

frank billy

Updated on June 20, 2020

Comments

  • frank billy
    frank billy almost 4 years

    I have searched google and haven't found any solution for my issue yet. Basically I have a comments feed that is setup within an image gallery (similar to facebook or stackoverflow comments). Users can post comments and read comments posted by other users. This is working fine. However, if a user tries to post a comment with an apostrophe, I get a nice little web application error:

    Incorrect syntax near 's'. Unclosed quotation mark after the character string ')'.

    The comment that I'm posting to SQL is 81's. I'm wanting a solution that will escape all special characters so that whatever the user types in, no matter what, doesn't error out.

    Code Behind

    Fetcher.postUserComments(connectionString, imagePath, comments.ToString(), userId);

    Fetcher

    sqlCom.CommandText = "INSERT INTO dbo.Table(userId, imagePath, userComments, dateCommented) VALUES ('" + userId + "', '" + imagePath + "', '" + comments + "', '" + theDate + "')";

    The data type is string and I've also tried doing a .ToString() but no luck. Thanks in advance for any helpful input.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Escaping special characters in a SQL LIKE statement using sql parameters
Parameterize WHERE Clause in Query
Is SQL code faster than C# code?
Multiple Left Outer Join with lambda expressions
Entity framework - COUNT rather than SELECT
How to check for the existence of a DB?
SqlDependency OnChange Not Firing
SqlParameter and IN statement
C# use script to create database
"Can't find PInvoke DLL 'dbnetlib.dll'." error in Smart Device Application