How do I convert a string into safe SQL String?

.net sql sanitization
Diskdrive picture Diskdrive · Apr 3, 2011 · Viewed 59.8k times · Source

I'm generating some sql insert statements from a bunch of text files.

These text files are generally user input data. I would like to sanitize this data so that it's not going to break the insert statement.

For example, some of the input data, people have used the word Don't. The "'" in don't will lead the sql statement to think the string has ended and therefore cause an error.

Is there any .NET method I can call to kind of convert all of these characters to either escape codes or safe characters?

Answer

Andomar picture Andomar · Apr 3, 2011

There is only a single character you have to escape: ansi 0x27, aka the single quote:

safeString = unsafeString.Replace("'","''");

Related questions

What is the syntax for an inner join in LINQ to SQL?

I'm writing a LINQ to SQL statement, and I'm after the standard syntax for a normal inner join with an ON clause in C#. How do you represent the following in LINQ to SQL: select DealerContact.* from Dealer inner join …

Read More
how to insert datetime into the SQL Database table?

How can I insert datetime into the SQL Database table ? Is there a way to insert this query through the insert command in C# / .NET?

Read More
Read SQL Table into C# DataTable

I've read a lot of posts about inserting a DataTable into a SQL table, but is there an easy way to pull a SQL table into a .NET DataTable?

Read More