How to prevent a SQL Injection escaping strings

c# .net sql-injection
markzzz picture markzzz · Jul 1, 2011 · Viewed 44k times · Source

I have some queries (to an acccess database) like this :

string comando = "SELECT * FROM ANAGRAFICA WHERE E_MAIL='" + user + "' AND PASSWORD_AZIENDA='" + password + "'";

and I'd like to "escape" user and password, preventing an injection.

How can I do it with C# and .NET 3.5? I'm searching somethings like mysql_escape_string on PHP...

Answer

Jethro picture Jethro · Jul 1, 2011

You need to use parameters. Well dont have to but would be preferable.

SqlParameter[] myparm = new SqlParameter[2];
myparm[0] = new SqlParameter("@User",user);
myparm[1] = new SqlParameter("@Pass",password);

string comando = "SELECT * FROM ANAGRAFICA WHERE E_MAIL=@User AND PASSWORD_AZIENDA=@Pass";

Related questions

Does using parameterized SqlCommand make my program immune to SQL injection?

I'm aware that SQL injection is rather dangerous. Now in my C# code I compose parameterized queries with SqlCommand class: SqlCommand command = ...; command.CommandText = "SELECT * FROM Jobs WHERE JobId = @JobId;"; command.Parameters.Add("@JobId", SqlDbType.UniqueIdentifier ).Value = actualGuid; command.ExecuteNonQuery(); …

Read More
How to make an HTTP POST web request

Canonical How can I make an HTTP request and send some data using the POST method? I can do a GET request, but I have no idea of how to make a POST request.

Read More
How can I convert String to Int?

I have a TextBoxD1.Text and I want to convert it to an int to store it in a database. How can I do this?

Read More