HtmlEncoding, SQL Encoding in ASP.NET

Chris · May 18, 2004

Hey,

What are the usual ways to encode a sql string for safe insertion into the
db? Are there
handy functions like php's addslashes, etc? or should i use the Regexp, or
string.Replace functions?

Cheers
Chris

Kevin Spencer · May 18, 2004

It depends on the db. Generally, you can simply replace single quotes with
doubled single quotes to escape them.

--
HTH,
Kevin Spencer
..Net Developer
Microsoft MVP
Big things are made up
of lots of little things.

Rick Strahl [MVP] · May 18, 2004

Hi Chris,

You probably should be using SQLParameters which takes care of all encoding
as well as pretty much doing away with Sql Injection problems.

+++ Rick ---

--

Rick Strahl
West Wind Technologies
http://www.west-wind.com/
http://www.west-wind.com/weblog/

Scott Mitchell [MVP] · May 18, 2004

Chris said:
What are the usual ways to encode a sql string for safe insertion into the
db? Are there
handy functions like php's addslashes, etc? or should i use the Regexp, or
string.Replace functions?

Chris, use a parameterized query, like:

string SQL = "SELECT * FROM TableName WHERE Foo = @Bar";

Note the @Bar is a parameter. Then, you can set a value for the
parameter by adding a SqlParameter or OleDbParameter instance to the
Command object's Parameters collection.

--

Scott Mitchell
(e-mail address removed)
http://www.4GuysFromRolla.com
http://www.ASPFAQs.com
http://www.ASPMessageboard.com

* When you think ASP, think 4GuysFromRolla.com!

HtmlEncoding, SQL Encoding in ASP.NET

Chris

Kevin Spencer

Rick Strahl [MVP]

Scott Mitchell [MVP]