I use an API that expects a SQL string. I take a user input,

Question

0

Asked: May 13, 20262026-05-13T21:33:22+00:00 2026-05-13T21:33:22+00:00

I use an API that expects a SQL string. I take a user input,

0

I use an API that expects a SQL string. I take a user input, escape it and pass it along to the API. The user input is quite simple. It asks for column values. Like so:

string name = userInput.Value;

Then I construct a SQL query:

string sql = string.Format("SELECT * FROM SOME_TABLE WHERE Name = '{0}'",
                           name.replace("'", "''"));

Is this safe enough? If it isn’t, is there a simple library function that make column values safe:

string sql = string.Format("SELECT * FROM SOME_TABLE WHERE Name = '{0}'",
                           SqlSafeColumnValue(name));

The API uses SQLServer as the database.

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-13T21:33:22+00:00

Since using SqlParameter is not an option, just replace ‘ with ” (that’s two single quotes, not one double quote) in the string literals. That’s it.

To would-be downvoters: re-read the first line of the question. “Use parameters” was my gut reaction also.

EDIT: yes, I know about SQL injection attacks. If you think this quoting is vulnerable to those, please provide a working counterexample. I think it’s not.

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I use an API that expects a SQL string. I take a user input,

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply