I need to create a string method that takes in a string and
escapes it so that it can be used in a database SQL query, for example:
"This is john's dog" ==> "This is john''s dog"
"This is a 'quoted' string" ==> "This is a ''quoted'' string"
I want my method to look something like this:
string PrepareForSQLCommand(string text)
{
...
}
Anyway, I don’t know all of the characters that need to be escaped in SQL query.
I am not sure what the best approach is to do this, or if there is some
existing robust built-in stuff to do this in C#.
Apologies for not mentioning this earlier: I DO NOT HAVE THE OPTION TO USE PARAMETRIZED QUERIES.
Ted
Trigger Warning. This answer is in response to the following statement:
Please do not up-vote this answer and please don’t accept this as the correct way of doing things. I don’t know why the OP cannot use parametrized queries, so I am answering that specific question and not recommending this is how you should do this. If you are not the OP, please read the other answer I have given. Also, please bear in mind the above constraint before down-voting. Thanks.
End of trigger warning!
For Microsoft SQL Server (the answer is different depending on the server) you will need to escape the single quote characters.
But before you escape these characters, you should reject any character not on your white-list. This is because there are lots of very clever tricks out there and white-list validation is more secure than simply escaping characters you know are bad.
For example, this would remove
[and]characters, and ‘;’ characters. You may need to adjust the regex to match your expectations as this is a very restrictive white-list – but you know what kind of data you are expecting to see in your application.I hope this helps. Feel free to check out the OWASP website for more details on security and if you can find a way of using parametrized queries you’ll sleep all the better for it.